Certified Solutions Architect Official · Niamh O'Byrne, AWS Certification Manager, who introduced all of the authors and many more solutions architects at AWS to certification testing

CertifiedSolutionsArchitectOfficial

StudyGuide-AssociateExam

JoeBaron,HishamBaz,TimBixler,BiffGaut,KevinE.Kelly,SeanSenior,JohnStamper

SeniorAcquisitionsEditor:KenyonBrownProjectEditor:GarySchwartzProductionEditor:DassiZeidelCopyEditor:KeziaEndsleyEditorialManager:MaryBethWakefieldProductionManager:KathleenWisorExecutiveEditor:JimMinatelBookDesigners:JudyFungandBillGibsonProofreader:NancyCarrascoIndexer:JohnnavanHooseDinseProjectCoordinator,Cover:BrentSavageCoverDesigner:WileyCoverImage:©GettyImages,Inc./JeremyWoodhouse

Copyright©2017byAWS

PublishedbyJohnWiley&Sons,Inc.Indianapolis,Indiana

PublishedsimultaneouslyinCanada

ISBN:978-1-119-13855-6

ISBN:978-1-119-13955-3(ebk.)

ISBN:978-1-119-13954-6(ebk.)

ManufacturedintheUnitedStatesofAmerica

Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.

Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.

Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.

LibraryofCongressControlNumber:2016949703

TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.AWSisaregisteredtrademarkofAmazonTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.

http://www.wiley.com/go/permissions

http://booksupport.wiley.com

http://www.wiley.com

FortheoriginalAWSinstructor,MikeCulver,whotaughtushowtoteach,lead,andinspirewithtenacityandkindness.

CONTENTSAcknowledgments

AbouttheAuthors

Foreword

Introduction

AssessmentTest

AnswerstoAssessmentTest

Chapter1IntroductiontoAWS

WhatIsCloudComputing?

AWSFundamentals

AWSCloudComputingPlatform

Summary

ExamEssentials

ReviewQuestions

Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage

Introduction

ObjectStorageversusTraditionalBlockandFileStorage

AmazonSimpleStorageService(AmazonS3)Basics

Buckets

AmazonS3AdvancedFeatures

AmazonGlacier

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)

Introduction

AmazonElasticComputeCloud(AmazonEC2)

AmazonElasticBlockStore(AmazonEBS)

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter4AmazonVirtualPrivateCloud(AmazonVPC)

Introduction

AmazonVirtualPrivateCloud(AmazonVPC)

Subnets

RouteTables

InternetGateways

DynamicHostConfigurationProtocol(DHCP)OptionSets

ElasticIPAddresses(EIPs)

ElasticNetworkInterfaces(ENIs)

Endpoints

Peering

SecurityGroups

NetworkAccessControlLists(ACLs)

NetworkAddressTranslation(NAT)InstancesandNATGateways

VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling

Introduction

ElasticLoadBalancing

AmazonCloudWatch

AutoScaling

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter6AWSIdentityandAccessManagement(IAM)

Principals

Authentication

Authorization

OtherKeyFeatures

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter7DatabasesandAWS

DatabasePrimer

AmazonRelationalDatabaseService(AmazonRDS)

AmazonRedshift

AmazonDynamoDB

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter8SQS,SWF,andSNS

AmazonSimpleQueueService(AmazonSQS)

AmazonSimpleWorkflowService(AmazonSWF)

AmazonSimpleNotificationService(AmazonSNS)

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter9DomainNameSystem(DNS)andAmazonRoute53

DomainNameSystem(DNS)

AmazonRoute53Overview

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter10AmazonElastiCache

Introduction

In-MemoryCaching

AmazonElastiCache

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter11AdditionalKeyServices

Introduction

StorageandContentDelivery

Security

Analytics

DevOps

Summary

ExamEssentials

ReviewQuestions

Chapter12SecurityonAWS

Introduction

SharedResponsibilityModel

AWSComplianceProgram

AWSGlobalInfrastructureSecurity

AWSAccountSecurityFeatures

AWSCloudService-SpecificSecurity

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter13AWSRiskandCompliance

Introduction

OverviewofComplianceinAWS

EvaluatingandIntegratingAWSControls

AWSRiskandComplianceProgram

AWSReports,Certifications,andThird-PartyAttestations

Summary

ExamEssentials

ReviewQuestions

Chapter14ArchitectureBestPractices

Introduction

DesignforFailureandNothingFails

ImplementElasticity

LeverageDifferentStorageOptions

BuildSecurityinEveryLayer

ThinkParallel

LooseCouplingSetsYouFree

Don’tFearConstraints

Summary

ExamEssentials

Exercises

ReviewQuestions

AppendixAAnswerstoReviewQuestions

Chapter1:IntroductiontoAWS

Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage

Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)

Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)

Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling

Chapter6:AWSIdentityandAccessManagement(IAM)

Chapter7:DatabasesandAWS

Chapter8:SQS,SWF,andSNS

Chapter9:DomainNameSystem(DNS)andAmazonRoute53

Chapter10:AmazonElastiCache

Chapter11:AdditionalKeyServices

Chapter12:SecurityonAWS

Chapter13:AWSRiskandCompliance

Chapter14:ArchitectureBestPractices

Advert

EULA

ListofTablesChapter3

TABLE3.1

TABLE3.2

TABLE3.3

TABLE3.4

TABLE3.5

TABLE3.6

Chapter4

TABLE4.1

TABLE4.2

TABLE4.3

TABLE4.4

TABLE4.5

Chapter6

TABLE6.1

TABLE6.2

TABLE6.3

Chapter7

TABLE7.1

TABLE7.2

TABLE7.3

TABLE7.4

TABLE7.5

Chapter12

TABLE12.1

Chapter14

TABLE14.1

ListofIllustrationsChapter1

FIGURE1.1Sixadvantagesofcloudcomputing

FIGURE1.2AWSCloudcomputingplatform

FIGURE1.3Autoscalingcapacity

FIGURE1.4AWSCloudFormationworkflowsummary

Chapter3

FIGURE3.1MemoryandvCPUsforthem4instancefamily

FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances

Chapter4

FIGURE4.1VPC,subnets,andaroutetable

FIGURE4.2VPC,subnet,routetable,andanInternetgateway

FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting

FIGURE4.4VPCwithVPNconnectiontoacustomernetwork

Chapter5

FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer

FIGURE5.2AutoScalinggroupwithpolicy

FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout

Chapter6

FIGURE6.1DifferentidentitiesauthenticatingwithAWS

FIGURE6.2AssociatingIAMuserswithpolicies

Chapter7

FIGURE7.1Multi-AZAmazonRDSarchitecture

FIGURE7.2AmazonRedshiftclusterarchitecture

FIGURE7.3Table,items,attributesrelationship

FIGURE7.4Tablepartitioning

Chapter8

FIGURE8.1Messagelifecycle

FIGURE8.2Diagramofvisibilitytimeout

FIGURE8.3AmazonSWFworkflowillustration

FIGURE8.4Diagramoftopicdelivery

FIGURE8.5Diagramoffanoutscenario

Chapter9

FIGURE9.1FQDNcomponents

Chapter10

FIGURE10.1Commoncachingarchitecture

FIGURE10.2Redisreplicationgroup

Chapter11

FIGURE11.1Deliveringstaticanddynamiccontent

FIGURE11.2HighavailabilityCloudHSMarchitecture

FIGURE11.3AmazonKinesisFirehose

FIGURE11.4AmazonKinesisStreams

FIGURE11.5Examplepipeline

FIGURE11.6Simpleapplicationserverstack

FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks

FIGURE11.8Creatingastackworkflow

FIGURE11.9Updatingastackworkflow

FIGURE11.10AWSTrustedAdvisorConsoledashboard

Chapter12

FIGURE12.1Thesharedresponsibilitymodel

FIGURE12.2AmazonWebServicesregions

FIGURE12.3AmazonEC2multiplelayersofsecurity

FIGURE12.4AmazonEC2securitygroupfirewall

FIGURE12.5AmazonVPCnetworkarchitecture

FIGURE12.6Flexiblenetworkarchitectures

Chapter13

FIGURE13.1Sharedresponsibilitymodel

Chapter14

FIGURE14.1Simplewebapplicationarchitecture

FIGURE14.2Updatedwebapplicationarchitecturewithredundancy

FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling

FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront

FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB

FIGURE14.6Tightandloosecoupling

FIGURE14.7Samplewebapplicationforchapterexercises

kindle:embed:000B?mime=image/jpg

AcknowledgmentsTheauthorswouldliketothankafewpeoplewhohelpedusdevelopandwritethisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExam.

First,thankstoallourfamilieswhoputupwithusspendingweekendsandeveningscreatingcontent,writingquestions,andreviewingeachother'schapters.Theirpatienceandsupportmadethisbookpossible.

NiamhO'Byrne,AWSCertificationManager,whointroducedalloftheauthorsandmanymoresolutionsarchitectsatAWStocertificationtestingandgotthisbookstartedbychallengingsomeofustoextendourreachandhelpmorecloudpractitionersgetcertified.

NathanBowerandVictoriaSteidel,amazingtechnicalwritersatAWSwhoreviewedandeditedallthecontentandeveryquestionandgentlymadeusbetterwritersandcommunicators.Theyweretirelessinreviewingandhelpingushoneandfocusourcontent.

PatrickShumate,afellowAWSsolutionsarchitectwhocontributedtestquestionsrightwhenweneededthehelptogetusoverthefinishline.

WecouldnothavewrittenthisbookwithoutthehelpofourfriendsatWiley.KenyonBrown,SeniorAcquisitionsEditor,corralledusandfocusedusontheendgoal.Additionally,wewereguidedbyGarySchwartz,ProjectEditor;KeziaEndsley,Copyeditor;andDassiZeidel,ProductionEditorwhotookoutputfromdifferentauthorsandturneditintoacohesiveandcompletefinishedproduct.

Lastly,wewanttothankallthesolutionsarchitectsatAWSwhoparticipatedincertificationblueprintdevelopment,questionwriting,andreviewsessions,andthedevelopmentofaworld-classcertificationprogramforcloudpractitionersthatissettingthestandardforourindustry.

AbouttheAuthors

JoeBaron,PrincipalSolutionsArchitectforAWS,iscurrentlyworkingwithcustomersintheSoutheasternUnitedStates.JoejoinedAWSin2009asoneofthefirstsolutionsarchitects,andintheyearssincehehashelpedcustomersofallsizes,fromsmallstartupstosomeofthelargestenterprisesintheworld,toarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.HewasalsoanearlycontributortotheAWSAssociateandProfessionalCertifiedSolutionsArchitectprograms.JoeholdsaBSdegreeinengineeringphysicsfromCornellUniversityandisproudtobean“expertgeneralist.”PriortojoiningAWS,Joehad25yearsofexperienceintechnology,withrolesindatacenterautomation,virtualization,lifesciences,high-performancecomputing,3Dvisualization,hardwareandsoftwaredevelopment,andIndependentSoftwareVendor(ISV)programmanagement.HeisalsoadedicatedhusbandtoCarolandfatheroftwochildren,MattandJessie.Whennothelpingcustomersmigrateallthethingstothecloud,Joeisanamateurclassicalpianistandcollectoroftraditionalwoodworkingtools.HelivesintheRaleigh,NCarea.

HishamBazisapassionatesoftwareengineerandsystemsarchitectwithexpertisebuildingdistributedapplicationsandhigh-performance,mission-criticalsystems.Since2013,HishamhasbeenasolutionsarchitectwithAWSworkingwithcustomerslikePinterest,Airbnb,andGeneralElectrictobuildresilientarchitecturesinthecloudwithafocusonbigdataandanalytics.PriortoAmazon,Hishamfoundedtwoearly-stagestartups,modernizedthecommunicationsnetworkconnectingcriticaltransportationinfrastructure,andimprovedcellularnetworkswithlarge-scaledataanalytics.HishamisbasedinSanFrancisco,CAandliveswithhiswife,Suki.Theycanoftenbefoundhikingtheredwoods.

TimBixler,CommercialAmericasSoutheastAreaSolutionsArchitectureLeaderforAWS,leadsteamsofsolutionsarchitectswhoprovideAWStechnicalenablement,evangelism,andknowledgetransfertocustomerslikeCapitalOne,TheCoca-ColaCompany,AOL,KochIndustries,CoxAutomotive,NASCAR,Emdeon,andNeustar.Timhasover20yearsofexperienceinimprovingsystemsandoperationalperformance,productivity,andcustomersatisfactionforprivateandpublicglobalcorporationsaswellasgovernmentagencies.HeisalsoapublicspeakerforAmazonandenjoyshelpingcustomersadoptinnovativesolutionsonAWS.Butifyouaskhis7-year-oldsonTJwhathedoes,hemightsaythatdaddyisabuilderandafixer.Whennototherwisetasked,youcanfindhimburrowedinhislabbuildingrobotsdrivenbymicrocontrollersoratthelocalBrickFairadmiringthecreationsthathehasnotimetobuild.

BiffGautstartedwritingprogramsforalivingonCP/MontheOsborne1.Sincethoseearlydays,heobtainedaBSinengineeringfromVirginiaTechwhilewritingCcodeonMS-DOS,marriedhiswife,Holly,whilewritinghisfirstGUIapps,andraisedtwochildrenwhiletransitioningfromCOMobjectsinC++towebappsin.NET.Alongtheway,heleddevelopmentteamsfrom1to50membersforcompaniesincludingNASDAQ,ThomsonReuters,Verizon,Microsoft,FINRA,andMarriott.Hehascollaboratedontwobooksandspokenatcountlessconferences,includingWindowsWorldandtheMicrosoftPDC.BiffiscurrentlyasolutionsarchitectatAWS,helpingcustomersacrossthecountryrealizethebenefitsofthecloudbydeployingsecure,available,efficientworkloadsonAWS.Andyes,that’shisrealname.

KevinE.Kelly,SolutionsArchitectureManagerandearlycontributortotheAWSSolutionsArchitectureCertificationexams,hasbeenatAWSforoversevenyearshelpingcompaniesarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.KevinhasaBSincomputersciencefromMercerUniversityandaMasterofInformationSystemsinbusinessfromtheUniversityofMontana.BeforejoiningAmazon,KevinwasanAirForceofficer,aprogrammer—includingembeddedprogramming—andatechnicalpresalesleader.KevinhasbeenthechairmanoftheWorldwideWebConsortium(W3C)CompoundDocumentFormatWorkingGroupandledthatopen-standardsworkinggroupindevelopingtheWebInteractiveCompoundDocument(WICD)profileformobileanddesktopdevices.HehasalsoservedastheW3CAdvisoryCouncilRepresentativeforHealthLevel7(HL7).KevinlivesinVirginiawithhiswife,Laurie,andtheirtwodaughters,CarolineandAmelia.Kevinisanamateurviolinandmandolinplayerandazymurgist.

SeanSeniorisasolutionsarchitectatAWS.Seanisabuilderatheartandthrivesinafast-pacedenvironmentwithcontinuouschallenges.SeanhasaBSincomputerinformationandsciencesfromtheUniversityofMarylandUniversityCollege.Seanisadevotedhusbandandfatherofabeautifulgirl.HeisaU.S.Navyveteran,avidsportsfan,andgymrat.Heloathestalkingabouthimselfinthethirdperson,butcanbepersuadedtodosoforagoodreason.

JohnStamper,PrincipalSolutionsArchitectatAWS,isaco-inventorformultipleAWSpatentsandisparticularlyfondofdistributedsystemsatscale.JohnholdsaBSinmathematicsfromJamesMadisonUniversity(94)andanMSinInformationSystemsfromGeorgeMasonUniversity(04).Inadditiontobuildingsystemsonthecloudandhelpingcustomersreimaginetheirbusinesses,Johnisadedicatedhusbandandfatherofthreechildren.HeisaCrossFitathlete,youthsportscoach,andvocalsupporterofthearts.

ForewordThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamhasbeenwrittentohelpyoupreparefortheAWSCertifiedSolutionsArchitect–Associateexam.Thiscertificationisbecominganincreasinglyimportantcredentialthateveryinformationtechnologyprofessionalandcloudpractitionerwhoplans,designs,andbuildsapplicationarchitecturesfordeploymentonAWSshouldobtain.PassingtheAWSCertifiedSolutionsArchitect–Associateexamdemonstratestoyourcolleagues,employers,andtheindustryatlargethatyouknowhowtobuildanddeployAWSsolutionsthatarehighlyavailable,secure,performant,andcosteffective.

ThisstudyguidewaswrittenbyAWSsolutionsarchitectswhowroteandreviewedexamquestionsfortheAWSCertifiedSolutionsArchitectexams.Althoughnothingreplaceshands-onexperiencebuildinganddeployingavarietyofcloudapplicationsandcontrolsonAWS,thisstudyguide,andthequestionsandexercisesineachchapter,provideyouwithcoverageofthebasicAWSCloudservicescombinedwitharchitecturalrecommendationsandbestpracticesthatwillhelpprepareyoufortheexam.Combiningthisstudyguidewithproductionapplicationdeploymentexperienceandtakingthepracticeexamsonlinewillprepareyouwellandallowyoutotaketheexamwithconfidence.AddingtheAWSCertifiedSolutionsArchitect—Associatecertificationtoyourcredentialswillestablishyouasanindustry-recognizedsolutionsarchitectfortheAWSplatform!

—KevinE.KellyAmericasSolutionsArchitectureLead

AWSCertifiedSolutionsArchitect–AssociateAWSCertifiedSolutionsArchitect–Professional

Herndon,VA

IntroductionStudyingforanycertificationexamcanseemdaunting.ThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamwasdesignedanddevelopedwithrelevanttopics,questions,andexercisestoenableacloudpractitionertofocustheirpreciousstudytimeandeffortonthegermanesetoftopicstargetedattherightlevelofabstractionsotheycanconfidentlytaketheAWSCertifiedSolutionsArchitect–Associateexam.

Thisstudyguidepresentsasetoftopicsneededtoroundoutacloudpractitioner’shands-onexperienceswithAWSbycoveringthebasicAWSCloudservicesandconceptswithinthescopeoftheAWSCertifiedSolutionsArchitect–Associateexam.ThisstudyguidebeginswithanintroductiontoAWS,whichisthenfollowedbychaptersonspecificAWSCloudservices.Inadditiontotheserviceschapters,thetopicsofsecurity,riskandcompliance,andarchitecturebestpracticesarecovered,providingthereaderwithasolidbaseforunderstandinghowtobuildanddeployapplicationsontheAWSplatform.Furthermore,theAWSarchitecturalbestpracticesandprinciplesarereinforcedineverychapterandreflectedintheself-studyquestionsandexamplestohighlightthedevelopmentanddeploymentofapplicationsforAWSthataresecure,highlyavailable,performant,andcosteffective.Eachchapterincludesspecificinformationontheserviceortopiccovered,followedbyanExamEssentialssectionthatcontainskeyinformationneededinyourexampreparation.TheExamEssentialssectionisfollowedbyanExercisesectionwithexercisesdesignedtohelpreinforcethetopicofthechapterwithhands-onlearning.Next,eachchaptercontainssamplequestionstogetyouaccustomedtoansweringquestionsaboutAWSCloudservicesandarchitecturetopics.Thebookalsocontainsaself-assessmentexamwith25questions,twopracticeexams,with50questionseachtohelpyougaugeyourreadinesstotaketheexam,andflashcardstohelpyoulearnandretainkeyfactsneededtopreparefortheexam.

Ifyouarelookingforatargetedbookwrittenbysolutionsarchitectswhowrote,reviewed,anddevelopedtheAWSCertifiedSolutionsArchitect–Associateexam,thenthisisthebookforyou.

WhatDoesThisBookCover?ThisbookcoverstopicsyouneedtoknowtopreparefortheAmazonWebServices(AWS)CertifiedSolutionsArchitect–Associateexam:

Chapter1:IntroductiontoAWSThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.

Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageThischapterprovidesyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.TheseservicesareusedtostoreobjectsonAWS.

Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)Inthischapter,youwilllearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.

Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)ThischapterdescribesAmazonVirtualPrivateCloud(AmazonVPC),whichisacustom-definedvirtualnetworkwithinAWS.YouwilllearnhowtodesignsecurearchitecturesusingAmazonVPCtoprovisionyourownlogicallyisolatedsectionofAWS.

Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.

Chapter6:AWSIdentityandAccessManagement(IAM)ThischaptercoversAWSIdentityandAccessManagement(IAM),whichisusedtosecuretransactionswiththeAWSresourcesinyourAWSaccount.

Chapter7:DatabasesandAWSThischaptercoversessentialdatabaseconceptsandintroducesthreeofAWSmanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.

Chapter8:SQS,SWF,andSNSThischapterfocusesonapplicationservicesinAWS,specificallyAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(SWF),andAmazonSimpleNotificationService(AmazonSNS).ItalsocoversarchitecturalguidanceonusingtheseservicesandtheuseofAmazonSNSinmobileapplications.

Chapter9:DomainNameSystem(DNS)andAmazonRoute53Inthischapter,youwilllearnaboutDomainNameSystem(DNS)andtheAmazonRoute53service,whichisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.

Chapter10:AmazonElastiCacheThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.

Chapter11:AdditionalKeyServicesAdditionalservicesnotcoveredinotherchaptersare

coveredinthischapter.TopicsincludeAmazonCloudFront,AWSStorageGateway,AWSDirectoryService,AWSKeyManagementService(KMS),AWSCloudHSM,AWSCloudTrail,AmazonKinesis,AmazonElasticMapReduce(AmazonEMR),AWSDataPipeline,AWSImport/Export,AWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,AWSTrustedAdvisor,andAWSConfig.

Chapter12:SecurityonAWSThischaptercoverstherelevantsecuritytopicsthatarewithinscopefortheAWSCertifiedSolutionsArchitect–Associateexam.

Chapter13:AWSRiskandComplianceThischaptercoverstopicsassociatedwithriskandcompliance,riskmitigation,andthesharedresponsibilitymodelofusingAWS.

Chapter14:ArchitectureBestPracticesThefinalchaptercoverstheAWS-recommendeddesignprinciplesandbestpracticesforarchitectingsystemsandapplicationsfortheCloud.

InteractiveOnlineLearningEnvironmentandTestBankTheauthorshaveworkedhardtoprovidesomereallygreattoolstohelpyouwithyourcertificationprocess.TheinteractiveonlinelearningenvironmentthataccompaniestheAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamprovidesatestbankwithstudytoolstohelpyouprepareforthecertificationexam—andincreaseyourchancesofpassingitthefirsttime!Thetestbankincludesthefollowing:

SampleTestsAllthequestionsinthisbookareprovided,includingtheassessmenttestattheendofthisIntroductionandthechapterteststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwopracticeexamswith50questionseach.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.

FlashcardsTheonlinetextbanksinclude100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst.They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes.Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.

GlossaryAglossaryofkeytermsfromthisbookisavailableasafullysearchablePDF.

Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothisinteractiveonlinelearningenvironmentandtestbankwithstudytools.

http://www.wiley.com/go/sybextestprep

ExamObjectivesTheAWSCertifiedSolutionsArchitect—AssociateexamisintendedforpeoplewhohaveexperienceindesigningdistributedapplicationsandsystemsontheAWSplatform.Herearesomeofthekeyexamtopicsthatyoushouldunderstandforthisexam:

Designinganddeployingscalable,highlyavailable,andfault-tolerantsystemsonAWS

Migratingexistingon-premisesapplicationstoAWS

IngressandegressofdatatoandfromAWS

SelectingtheappropriateAWSservicebasedondata,compute,database,orsecurityrequirements

IdentifyingappropriateuseofAWSarchitecturalbestpractices

EstimatingAWScostsandidentifyingcostcontrolmechanisms

Ingeneral,candidatesshouldhavethefollowing:

Oneormoreyearsofhands-onexperiencedesigninghighlyavailable,costefficient,secure,faulttolerant,andscalabledistributedsystemsonAWS

In-depthknowledgeofatleastonehigh-levelprogramminglanguage

AbilitytoidentifyanddefinerequirementsforanAWS-basedapplication

Experiencewithdeployinghybridsystemswithon-premisesandAWScomponents

CapabilitytoprovidebestpracticesforbuildingsecureandreliableapplicationsontheAWSplatform

Theexamcoversfourdifferentdomains,witheachdomainbrokendownintoobjectivesandsubobjectives.

ObjectiveMapThefollowingtablelistseachdomainanditsweightingintheexam,alongwiththechaptersinthebookwherethatdomain’sobjectivesandsubobjectivesarecovered.

Domain PercentageofExam

Chapter

1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

60%

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

1,2,3,4,5,7,8,9,10,11,14

Contentmayincludethefollowing:

Howtodesigncloudservices 1,2,3,4,8,9,11,14

Planninganddesign 1,2,3,4,7,8,9,10,11,14

Monitoringandlogging 2,3,8,9,11

Familiaritywith:

BestpracticesforAWSarchitecture 1,2,4,7,8,9,10,14

Developingtoclientspecifications,includingpricing/cost(e.g.,onDemandvs.Reservedvs.Spot;RTOandRPODRDesign)

2,7,9

Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService(RDS)vs.installingyourowndatabaseonAmazonElasticComputeCloud(EC2))

2,4,7,8,9,10

HybridITarchitectures(e.g.,DirectConnect,StorageGateway,VPC,DirectoryServices)

1,2,4,14

Elasticityandscalability(e.g.,AutoScaling,SQS,ELB,CloudFront) 1,2,5,7,8,9,10,14

2Domain2.0:Implementation/Deployment 10%

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

1,2,3,4,5,6,8,11,13


ConfigureanAmazonMachineImage(AMI). 2,3,11

OperateandextendservicemanagementinahybridITarchitecture. 1,4

Configureservicestosupportcompliancerequirementsinthecloud. 2,3,4,11,13

LaunchinstancesacrosstheAWSglobalinfrastructure. 1,2,3,5,8,11

ConfigureIAMpoliciesandbestpractices. 2,6

3Domain3.0:DataSecurity 20%

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

2,4,10,12,13


AWSsharedresponsibilitymodel 12,13

AWSplatformcompliance 11,12,13

AWSsecurityattributes(customerworkloadsdowntophysicallayer) 4,11,12,

13

AWSadministrationandsecurityservices 7,10,11,12

AWSIdentityandAccessManagement(IAM) 6,12

AmazonVirtualPrivateCloud(VPC) 4,12

AWSCloudTrail 11,12

Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit 11,12

“Core”AmazonEC2andS3securityfeaturesets 2,4,12

Incorporatingcommonconventionalsecurityproducts(Firewall,VPN)

4,12

Designpatterns 7,13

DDoSmitigation 12

Encryptionsolutions(e.g.,keyservices) 2,11,12

Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,etc.)

2,12

AmazonCloudWatchforthesecurityarchitect 5

TrustedAdvisor 11

CloudWatchLogs 5

3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.

3,7,9,10


Disasterrecovery 3

Recoverytimeobjective 7

Recoverypointobjective 7

AmazonElasticBlockStore 3

AWSImport/Export 11

AWSStorageGateway 11

AmazonRoute53 9

Validationofdatarecoverymethod 3

4Domain4.0:Troubleshooting 10%


Generaltroubleshootinginformationandquestions 5,8

AssessmentTest1. UnderasingleAWSaccount,youhavesetupanAutoScalinggroupwithamaximumcapacityof50AmazonElasticComputeCloud(AmazonEC2)instancesinus-west-2.Whenyouscaleout,however,itonlyincreasesto20AmazonEC2instances.Whatisthelikelycause?

A. AutoScalinghasahardlimitof20AmazonEC2instances.

B. Ifnotspecified,theAutoScalinggroupmaximumcapacitydefaultsto20AmazonEC2instances.

C. TheAutoScalinggroupdesiredcapacityissetto20,soAutoScalingstoppedat20AmazonEC2instances.

D. YouhaveexceededthedefaultAmazonEC2instancelimitof20perregion.

2. ElasticLoadBalancingallowsyoutodistributetrafficacrosswhichofthefollowing?

A. OnlywithinasingleAvailabilityZone

B. MultipleAvailabilityZoneswithinaregion

C. MultipleAvailabilityZoneswithinandbetweenregions

D. MultipleAvailabilityZoneswithinandbetweenregionsandon-premisesvirtualizedinstancesrunningOpenStack

3. AmazonCloudWatchofferswhichtypesofmonitoringplans?(Choose2answers)

A. Basic

B. Detailed

C. Diagnostic

D. Precognitive

E. Retroactive

4. AnAmazonElasticComputeCloud(AmazonEC2)instanceinanAmazonVirtualPrivateCloud(AmazonVPC)subnetcansendandreceivetrafficfromtheInternetwhenwhichofthefollowingconditionsaremet?(Choose3answers)

A. NetworkAccessControlLists(ACLs)andsecuritygrouprulesdisallowalltrafficexceptrelevantInternettraffic.

B. NetworkACLsandsecuritygrouprulesallowrelevantInternettraffic.

C. AttachanInternetGateway(IGW)totheAmazonVPCandcreateasubnetroutetabletosendallnon-localtraffictothatIGW.

D. AttachaVirtualPrivateGateway(VPG)totheAmazonVPCandcreatesubnetroutestosendallnon-localtraffictothatVPG.

E. TheAmazonEC2instancehasapublicIPaddressorElasticIP(EIP)address.

F. TheAmazonEC2instancedoesnotneedapublicIPorElasticIPwhenusing

AmazonVPC.

5. IfyoulaunchfiveAmazonElasticComputeCloud(AmazonEC2)instancesinanAmazonVirtualPrivateCloud(AmazonVPC)withoutspecifyingasecuritygroup,theinstanceswillbelaunchedintoadefaultsecuritygroupthatprovideswhichofthefollowing?(Choose3answers)

A. ThefiveAmazonEC2instancescancommunicatewitheachother.

B. ThefiveAmazonEC2instancescannotcommunicatewitheachother.

C. AllinboundtrafficwillbeallowedtothefiveAmazonEC2instances.

D. NoinboundtrafficwillbeallowedtothefiveAmazonEC2instances.

E. AlloutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.

F. NooutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.

6. YourcompanywantstohostitssecurewebapplicationinAWS.Theinternalsecuritypoliciesconsideranyconnectionstoorfromthewebserverasinsecureandrequireapplicationdataprotection.Whatapproachesshouldyouusetoprotectdataintransitfortheapplication?(Choose2answers)

A. UseBitLockertoencryptdata.

B. UseHTTPSwithservercertificateauthentication.

C. UseanAWSIdentityandAccessManagement(IAM)role.

D. UseSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)fordatabaseconnection.

E. UseXMLfordatatransferfromclienttoserver.

7. YouhaveanapplicationthatwillrunonanAmazonElasticComputeCloud(AmazonEC2)instance.TheapplicationwillmakerequeststoAmazonSimpleStorageService(AmazonS3)andAmazonDynamoDB.Usingbestpractices,whattypeofAWSIdentityandAccessManagement(IAM)identityshouldyoucreateforyourapplicationtoaccesstheidentifiedservices?

A. IAMrole

B. IAMuser

C. IAMgroup

D. IAMdirectory

8. WhenarequestismadetoanAWSCloudservice,therequestisevaluatedtodecidewhetheritshouldbeallowedordenied.Theevaluationlogicfollowswhichofthefollowingrules?(Choose3answers)

A. Anexplicitallowoverridesanydenies.

B. Bydefault,allrequestsaredenied.

C. Anexplicitallowoverridesthedefault.

D. Anexplicitdenyoverridesanyallows.

E. Bydefault,allrequestsareallowed.

9. WhatisthedataprocessingenginebehindAmazonElasticMapReduce(AmazonEMR)?

A. ApacheHadoop

B. ApacheHive

C. ApachePig

D. ApacheHBase

10. WhattypeofAWSElasticBeanstalkenvironmenttierprovisionsresourcestosupportawebapplicationthathandlesbackgroundprocessingtasks?

A. Webserverenvironmenttier

B. Workerenvironmenttier

C. Databaseenvironmenttier

D. Batchenvironmenttier

11. WhatAmazonRelationalDatabaseService(AmazonRDS)featureprovidesthehighavailabilityforyourdatabase?

A. Regularmaintenancewindows

B. Securitygroups

C. Automatedbackups

D. Multi-AZdeployment

12. WhatadministrativetasksarehandledbyAWSforAmazonRelationalDatabaseService(AmazonRDS)databases?(Choose3answers)

A. Regularbackupsofthedatabase

B. Deployingvirtualinfrastructure

C. Deployingtheschema(forexample,tablesandstoredprocedures)

D. Patchingtheoperatingsystemanddatabasesoftware

E. Settingupnon-admindatabaseaccountsandprivileges

13. WhichofthefollowingusecasesiswellsuitedforAmazonRedshift?

A. A500TBdatawarehouseusedformarketanalytics

B. ANoSQL,unstructureddatabaseworkload

C. Ahightraffic,e-commercewebapplication

D. Anin-memorycache

14. WhichofthefollowingstatementsaboutAmazonDynamoDBsecondaryindexesistrue?

A. Therecanbemanypertable,andtheycanbecreatedatanytime.

B. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.

C. Therecanbemanypertable,andtheycanbecreatedatanytime.

D. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.

15. WhatistheprimaryusecaseofAmazonKinesisFirehose?

A. Ingesthugestreamsofdataandallowcustomprocessingofdatainflight.

B. IngesthugestreamsofdataandstoreittoAmazonSimpleStorageService(AmazonS3),AmazonRedshift,orAmazonElasticsearchService.

C. GenerateahugestreamofdatafromanAmazonS3bucket.

D. GenerateahugestreamofdatafromAmazonDynamoDB.

16. Yourcompanyhas17TBoffinancialtradingrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanayearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcost-efficientmanner?

A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumeattachedtot2.largeinstances.

B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyear,anddeletetheobjectaftersevenyears.

C. StorethedatainAmazonDynamoDB,anddeletedataolderthansevenyears.

D. StorethedatainanAmazonGlacierVaultLock.

17. WhatmustyoudotocreatearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere?

A. EnableAmazonCloudWatchlogs.

B. Enableversioningonthebucket.

C. Enablewebsitehostingonthebucket.

D. Enableserveraccesslogsonthebucket.

E. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.

18. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?

A. GETafterPUTofanewobject

B. GETorLISTafteraDELETE

C. GETafteroverwritePUT(PUTtoanexistingkey)

D. DELETEafterGETofnewobject

19. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?

A. Dataisautomaticallyreplicatedtootherregions.

B. DataisautomaticallyreplicatedtodifferentAvailabilityZoneswithinaregion.

C. Dataisreplicatedonlyifversioningisenabledonthebucket.

D. Dataisautomaticallybackedupontapeandrestoredifneeded.

20. Yourcompanyneedstoprovidestreamingaccesstovideostoauthenticatedusersaroundtheworld.Whatisagoodwaytoaccomplishthis?

A. UseAmazonSimpleStorageService(AmazonS3)bucketsineachregionwithwebsitehostingenabled.

B. StorethevideosonAmazonElasticBlockStore(AmazonEBS)volumes.

C. EnableAmazonCloudFrontwithgeolocationandsignedURLs.

D. RunafleetofAmazonElasticComputeCloud(AmazonEC2)instancestohostthevideos.

21. WhichofthefollowingaretrueabouttheAWSsharedresponsibilitymodel?(Choose3answers)

A. AWSisresponsibleforallinfrastructurecomponents(thatis,AWSCloudservices)thatsupportcustomerdeployments.

B. Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).

C. ThecustomermayrelyonAWStomanagethesecurityoftheirworkloadsdeployedonAWS.

D. WhileAWSmanagessecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.

E. ThecustomermustaudittheAWSdatacenterspersonallytoconfirmthecomplianceofAWSsystemsandservices.

22. WhichprocessinanAmazonSimpleWorkflowService(AmazonSWF)workflowimplementsatask?

A. Decider

B. Activityworker

C. Workflowstarter

D. Businessrule

23. WhichofthefollowingistrueifyoustopanAmazonElasticComputeCloud(AmazonEC2)instancewithanElasticIPaddressinanAmazonVirtualPrivateCloud(AmazonVPC)?

A. TheinstanceisdisassociatedfromitsElasticIPaddressandmustbere-attachedwhentheinstanceisrestarted.

B. TheinstanceremainsassociatedwithitsElasticIPaddress.

C. TheElasticIPaddressisreleasedfromyouraccount.

D. TheinstanceisdisassociatedfromtheElasticIPaddresstemporarilywhileyourestarttheinstance.

24. WhichAmazonElasticComputeCloud(AmazonEC2)pricingmodelallowsyoutopaya

sethourlypriceforcompute,givingyoufullcontroloverwhentheinstancelaunchesandterminates?

A. Spotinstances

B. Reservedinstance

C. OnDemandinstances

D. Dedicatedinstances

25. UnderwhatcircumstanceswillAmazonElasticComputeCloud(AmazonEC2)instancestoredatanotbepreserved?

A. Theassociatedsecuritygroupsarechanged.

B. Theinstanceisstoppedorrebooted.

C. Theinstanceisrebootedorterminated.

D. Theinstanceisstoppedorterminated.

E. Noneoftheabove

AnswerstoAssessmentTest1. D.AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.

2. B.TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonElasticComputeCloud(AmazonEC2)instancesinoneormoreAvailabilityZoneswithinaregion.

3. AandB.AmazonCloudWatchhastwoplans:basicanddetailed.Therearenodiagnostic,precognitive,orretroactivemonitoringplansforAmazonCloudWatch.

4. B,C,andE.YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:

AttachanIGWtoyourAmazonVPC.

Createasubnetroutetableruletosendallnon-localtraffic(forexample,0.0.0.0/0)totheIGW.

ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.

YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:

AssignapublicIPaddressorEIPaddress.

5. A,D,andE.Ifasecuritygroupisnotspecifiedatlaunch,thenanAmazonEC2instancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.

6. BandD.Toprotectdataintransitfromtheclientstothewebapplication,HTTPSwithservercertificateauthenticationshouldbeused.Toprotectdataintransitfromthewebapplicationtothedatabase,SSL/TLSfordatabaseconnectionshouldbeused.

7. A.Don'tcreateanIAMuser(oranIAMgroup)andpasstheuser'scredentialstotheapplicationorembedthecredentialsintheapplication.Instead,createanIAMrolethatyouattachtotheAmazonEC2instancetogiveapplicationsrunningontheinstancetemporarysecuritycredentials.Thecredentialshavethepermissionsspecifiedinthepoliciesattachedtotherole.AdirectoryisnotanidentityobjectinIAM.

8. B,C,andD.Whenarequestismade,theAWSservicedecideswhetheragivenrequestshouldbeallowedordenied.Theevaluationlogicfollowstheserules:

1)Bydefault,allrequestsaredenied(ingeneral,requestsmadeusingtheaccountcredentialsforresourcesintheaccountarealwaysallowed).

2)Anexplicitallowoverridesthisdefault.

3)Anexplicitdenyoverridesanyallows.

9. A.AmazonEMRusesApacheHadoopasitsdistributeddataprocessingengine.Hadoopisanopensource,Javasoftwareframeworkthatsupportsdata-intensivedistributed

applicationsrunningonlargeclustersofcommodityhardware.Hive,Pig,andHBasearepackagesthatrunontopofHadoop.

10. B.Anenvironmenttierwhosewebapplicationrunsbackgroundjobsisknownasaworkertier.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Databaseandbatcharenotvalidenvironmenttiers.

11. D.Multi-AZdeploymentusessynchronousreplicationtoadifferentAvailabilityZonesothatoperationscancontinueonthereplicaifthemasterdatabasestopsrespondingforanyreason.Automatedbackupsprovidedisasterrecovery,nothighavailability.Securitygroups,whileimportant,havenoeffectonavailability.Maintenancewindowsareactuallytimeswhenthedatabasemaynotbeavailable.

12. A,B,andD.AmazonRDSwilllaunchAmazonElasticComputeCloud(AmazonEC2)instances,installthedatabasesoftware,handleallpatching,andperformregularbackups.Anythingwithinthedatabasesoftware(schema,useraccounts,andsoon)istheresponsibilityofthecustomer.

13. A.AmazonRedshiftisapetabyte-scaledatawarehouse.ItisnotwellsuitedforunstructuredNoSQLdataorhighlydynamictransactionaldata.Itisinnowayacache.

14. D.Therecanbeonesecondaryindexpertable,anditmustbecreatedwhenthetableiscreated.

15. B.TheAmazonKinesisfamilyofservicesprovidesfunctionalitytoingestlargestreamsofdata.AmazonKinesisFirehoseisspecificallydesignedtoingestastreamandsaveittoanyofthethreestorageserviceslistedinResponseB.

16. B.AmazonS3andAmazonGlacierarethemostcost-effectivestorageservices.Afterayear,whentheobjectsareunlikelytobeaccessed,youcansavecostsbytransferringtheobjectstoAmazonGlacierwheretheretrievaltimeisthreetofivehours.

17. D.ServeraccesslogsprovidearecordofanyaccesstoanobjectinAmazonS3.

18. C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).ResponseCchangestheexistingobjectsothatasubsequentGETmayfetchthepreviousandinconsistentobject.

19. B.AWSwillnevertransferdatabetweenregionsunlessdirectedtobyyou.DurabilityinAmazonS3isachievedbyreplicatingyourdatageographicallytodifferentAvailabilityZonesregardlessoftheversioningconfiguration.AWSdoesn'tusetapes.

20. C.AmazonCloudFrontprovidesthebestuserexperiencebydeliveringthedatafromageographicallyadvantageousedgelocation.SignedURLsallowyoutocontrolaccesstoauthenticatedusers.

21. A,B,andD.IntheAWSsharedresponsibilitymodel,customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.

22. B.Anactivityworkerisaprocessorthreadthatperformstheactivitytasksthatarepartofyourworkflow.EachactivityworkerpollsAmazonSWFfornewtasksthatare

appropriateforthatactivityworkertoperform;certaintaskscanbeperformedonlybycertainactivityworkers.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreportstoAmazonSWFthatthetaskwascompletedandprovidestheresult.Theactivitytaskrepresentsoneofthetasksthatyouidentifiedinyourapplication.

23. B.InanAmazonVPC,aninstance'sElasticIPaddressremainsassociatedwithaninstancewhentheinstanceisstopped.

24. C.YoupayasethourlypriceforanOnDemandinstancefromwhenyoulaunchituntilyouexplicitlystoporterminateit.Spotinstancescanbeterminatedwhenthespotpricegoesaboveyourbidprice.Reservedinstancesinvolvepayingforaninstanceoveraone-orthree-yearterm.Dedicatedinstancesrunonhardwarededicatedtoyouraccountandarenotapricingmodel.

25. D.Thedatainaninstancestorepersistsonlyduringthelifetimeofitsassociatedinstance.Ifaninstanceisstoppedorterminated,thentheinstancestoredoesnotpersist.Rebootinganinstancedoesnotshutdowntheinstance;ifaninstancereboots(intentionallyorunintentionally),dataontheinstancestorepersists.Securitygroupshavenothingtodowiththelifetimeofaninstanceandhavenoeffecthere.

Chapter1IntroductiontoAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems



Howtodesigncloudservices

Planninganddesign

Familiaritywith:

BestpracticesforAWSarchitecture

HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)

Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.


OperateandextendservicemanagementinahybridITarchitecture.

Configureservicestosupportcompliancerequirementsinthecloud.

LaunchinstancesacrosstheAWSglobalinfrastructure.

In2006,AmazonWebServices,Inc.(AWS)beganofferingITinfrastructureservicestobusinessesintheformofwebservices,nowcommonlyknownascloud

computing.Oneofthekeybenefitsofcloudcomputingistheopportunitytoreplaceup-frontcapitalinfrastructureexpenseswithlowvariablecoststhatscalewithyourbusiness.Withthecloud,businessesnolongerneedtoplanforandprocureserversandotherITinfrastructureweeksormonthsinadvance.Instead,theycaninstantlyspinuphundredsorthousandsofserversinminutesanddeliverresultsfaster.

Today,AWSprovidesahighlyreliable,scalable,andlow-costinfrastructureplatforminthecloudthatpowershundredsofthousandsofbusinessesinmorethan190countriesaroundtheworld.

ThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.

WhatIsCloudComputing?Cloudcomputingistheon-demanddeliveryofITresourcesandapplicationsviatheInternetwithpay-as-you-gopricing.Whetheryourunapplicationsthatsharephotostomillionsofmobileusersordeliverservicesthatsupportthecriticaloperationsofyourbusiness,thecloudprovidesrapidaccesstoflexibleandlow-costITresources.Withcloudcomputing,youdon’tneedtomakelargeup-frontinvestmentsinhardwareandspendalotoftimemanagingthathardware.Instead,youcanprovisionexactlytherighttypeandsizeofcomputingresourcesyouneedtopoweryournewestbrightideaoroperateyourITdepartment.Withcloudcomputing,youcanaccessasmanyresourcesasyouneed,almostinstantly,andonlypayforwhatyouuse.

Initssimplestform,cloudcomputingprovidesaneasywaytoaccessservers,storage,databases,andabroadsetofapplicationservicesovertheInternet.CloudcomputingproviderssuchasAWSownandmaintainthenetwork-connectedhardwarerequiredfortheseapplicationservices,whileyouprovisionandusewhatyouneedforyourworkloads.

AdvantagesofCloudComputingCloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andinhoworganizationsbudgetandpayfortechnologyservices.Withtheabilitytoreconfigurethecomputingenvironmentquicklytoadapttochangingbusinessrequirements,organizationscanoptimizespending.Capacitycanbeautomaticallyscaledupordowntomeetfluctuatingusagepatterns.Servicescanbetemporarilytakenofflineorshutdownpermanentlyasbusinessdemandsdictate.Inaddition,withpay-per-usebilling,AWSCloudservicesbecomeanoperationalexpenseinsteadofacapitalexpense.

Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain,asillustratedinFigure1.1.

FIGURE1.1Sixadvantagesofcloudcomputing

Variablevs.CapitalExpenseLet’sbeginwiththeabilitytotradecapitalexpenseforvariableoperationalexpense.Insteadofhavingtoinvestheavilyindatacentersandserversbeforeknowinghowyou’regoingtousethem,youcanpayonlywhenyouconsumecomputingresourcesandpayonlyforhowmuchyouconsume.

EconomiesofScaleAnotheradvantageofcloudcomputingisthatorganizationsbenefitfrommassiveeconomiesofscale.Byusingcloudcomputing,youcanachievealowervariablecostthanyouwouldgetonyourown.Becauseusagefromhundredsofthousandsofcustomersisaggregatedinthecloud,providerssuchasAWScanachievehighereconomiesofscale,whichtranslatesintolowerprices.

StopGuessingCapacityWhenyoumakeacapacitydecisionpriortodeployinganapplication,youoftenendupeithersittingonexpensiveidleresourcesordealingwithlimitedcapacity.Withcloudcomputing,organizationscanstopguessingaboutcapacityrequirementsfortheinfrastructurenecessarytomeettheirbusinessneeds.Theycanaccessasmuchoraslittleastheyneedandscaleupordownasrequiredwithonlyafewminutes’notice.

IncreaseSpeedandAgilityInacloudcomputingenvironment,newITresourcesareoneclickaway,whichallows

organizationstoreducethetimeittakestomakethoseresourcesavailabletodevelopersfromweekstojustminutes.Thisresultsinadramaticincreaseinspeedandagilityfortheorganization,becausethecostandtimeittakestoexperimentanddevelopissignificantlylower.

FocusonBusinessDifferentiatorsCloudcomputingallowsorganizationstofocusontheirbusinesspriorities,insteadofontheheavyliftingofracking,stacking,andpoweringservers.Byembracingthisparadigmshift,organizationscanstopspendingmoneyonrunningandmaintainingdatacenters.Thisallowsorganizationstofocusonprojectsthatdifferentiatetheirbusinesses,suchasanalyzingpetabytesofdata,deliveringvideocontent,buildinggreatmobileapplications,orevenexploringMars.

GoGlobalinMinutesAnotheradvantageofcloudcomputingistheabilitytogoglobalinminutes.Organizationscaneasilydeploytheirapplicationstomultiplelocationsaroundtheworldwithjustafewclicks.Thisallowsorganizationstoprovideredundancyacrosstheglobeandtodeliverlowerlatencyandbetterexperiencestotheircustomersatminimalcost.Goingglobalusedtobesomethingonlythelargestenterprisescouldaffordtodo,butcloudcomputingdemocratizesthisability,makingitpossibleforanyorganization.

Whilespecificquestionsontheseadvantagesofcloudcomputingareunlikelytobeontheexam,havingexposuretothesebenefitscanhelprationalizetheappropriateanswers.

CloudComputingDeploymentModelsThetwoprimarycloudcomputingdeploymentmodelsthattheexamfocusesonare“all-in”cloud-baseddeploymentsandhybriddeployments.Itisimportanttounderstandhoweachstrategyappliestoarchitecturaloptionsanddecisions.

Anall-incloud-basedapplicationisfullydeployedinthecloud,withallcomponentsoftheapplicationrunninginthecloud.Applicationsinthecloudhaveeitherbeencreatedinthecloudorhavebeenmigratedfromanexistinginfrastructuretotakeadvantageofthebenefitsofcloudcomputing.Cloud-basedapplicationscanbebuiltonlow-levelinfrastructurepiecesorcanusehigher-levelservicesthatprovideabstractionfromthemanagement,architecting,andscalingrequirementsofcoreinfrastructure.

Ahybriddeploymentisacommonapproachtakenbymanyenterprisesthatconnectsinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresources,typicallyinanexistingdatacenter.Themostcommonmethodofhybriddeploymentisbetweenthecloudandexistingon-premisesinfrastructuretoextendandgrowanorganization’sinfrastructurewhileconnectingcloudresourcestointernalsystems.Choosingbetweenanexistinginvestmentininfrastructureandmovingtotheclouddoesnotneedtobeabinarydecision.Leveragingdedicatedconnectivity,identityfederation,andintegratedtoolsallowsorganizationstorunhybridapplicationsacrosson-premisesandcloudservices.

AWSFundamentalsAtitscore,AWSprovideson-demanddeliveryofITresourcesviatheInternetonasecurecloudservicesplatform,offeringcomputepower,storage,databases,contentdelivery,andotherfunctionalitytohelpbusinessesscaleandgrow.UsingAWSresourcesinsteadofyourownislikepurchasingelectricityfromapowercompanyinsteadofrunningyourowngenerator,anditprovidesthekeyadvantagesofcloudcomputing:Capacityexactlymatchesyourneed,youpayonlyforwhatyouuse,economiesofscaleresultinlowercosts,andtheserviceisprovidedbyavendorexperiencedinrunninglarge-scalenetworks.

AWSglobalinfrastructureandAWSapproachtosecurityandcompliancearekeyfoundationalconceptstounderstandasyoupreparefortheexam.

GlobalInfrastructureAWSservesoveronemillionactivecustomersinmorethan190countries,anditcontinuestoexpanditsglobalinfrastructuresteadilytohelporganizationsachievelowerlatencyandhigherthroughputfortheirbusinessneeds.

AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionisaseparategeographicarea.Eachregionhasmultiple,isolatedlocationsknownasAvailabilityZones.AWSenablestheplacementofresourcesanddatainmultiplelocations.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.

Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.EachAvailabilityZoneisalsoisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.AvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower-riskfloodplains(specificfloodzonecategorizationvariesbyregion).Inadditiontousingadiscreteuninterruptablepowersupply(UPS)andon-sitebackupgenerators,theyareeachfedviadifferentgridsfromindependentutilities(whenavailable)toreducesinglepointsoffailurefurther.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.ByplacingresourcesinseparateAvailabilityZones,youcanprotectyourwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.

YoucanachievehighavailabilitybydeployingyourapplicationacrossmultipleAvailabilityZones.Redundantinstancesforeachtier(forexample,web,application,anddatabase)ofanapplicationshouldbeplacedindistinctAvailabilityZones,therebycreatingamultisitesolution.Ataminimum,thegoalistohaveanindependentcopyofeachapplicationstackintwoormoreAvailabilityZones.

SecurityandComplianceWhetheron-premisesoronAWS,informationsecurityisofparamountimportanceto

organizationsrunningcriticalworkloads.Securityisacorefunctionalrequirementthatprotectsmission-criticalinformationfromaccidentalordeliberatetheft,leakage,integritycompromise,anddeletion.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingyourtrustandconfidence.

ThissectionisintendedtoprovideaverybriefintroductiontoAWSapproachtosecurityandcompliance.Chapter12,“SecurityonAWS,”andChapter13,“AWSRiskandCompliance,”willaddressthesetopicsingreaterdetail,includingtheimportanceofeachontheexam.

SecurityCloudsecurityatAWSisthenumberonepriority.AllAWScustomersbenefitfromdatacenterandnetworkarchitecturesbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersofferhundredsoftoolsandfeaturestohelporganizationsmeettheirsecurityobjectivesforvisibility,auditability,controllability,andagility.Thismeansthatorganizationscanhavethesecuritytheyneed,butwithoutthecapitaloutlayandwithmuchloweroperationaloverheadthaninanon-premisesenvironment.

OrganizationsleveragingAWSinheritallthebestpracticesofAWSpolicies,architecture,andoperationalprocessesbuilttosatisfytherequirementsofthemostsecurity-sensitivecustomers.TheAWSinfrastructurehasbeendesignedtoprovidethehighestavailabilitywhileputtingstrongsafeguardsinplaceregardingcustomerprivacyandsegregation.WhendeployingsystemsontheAWSCloudcomputingplatform,AWShelpsbysharingthesecurityresponsibilitieswiththeorganization.AWSmanagestheunderlyinginfrastructure,andtheorganizationcansecureanythingitdeploysonAWS.Thisaffordseachorganizationtheflexibilityandagilitytheyneedinsecuritycontrols.

Thisinfrastructureisbuiltandmanagednotonlyaccordingtosecuritybestpracticesandstandards,butalsowiththeuniqueneedsofthecloudinmind.AWSusesredundantandlayeredcontrols,continuousvalidationandtesting,andasubstantialamountofautomationtoensurethattheunderlyinginfrastructureismonitoredandprotected24/7.AWSensuresthatthesecontrolsareconsistentlyappliedineverynewdatacenterorservice.

ComplianceWhencustomersmovetheirproductionworkloadstotheAWSCloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Customersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.CustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWSenablescustomerstobuildontraditionalcomplianceprograms.ThishelpsorganizationsestablishandoperateinanAWSsecuritycontrolenvironment.

Organizationsretaincompletecontrolandownershipovertheregioninwhichtheirdataisphysicallylocated,allowingthemtomeetregionalcomplianceanddataresidencyrequirements.

TheITinfrastructurethatAWSprovidestoorganizationsisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards.ThefollowingisapartiallistofthemanycertificationsandstandardswithwhichAWScomplies:

ServiceOrganizationControls(SOC)1/InternationalStandardonAssuranceEngagements(ISAE)3402,SOC2,andSOC3

FederalInformationSecurityManagementAct(FISMA),DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)

PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1

InternationalOrganizationforStandardization(ISO)9001,ISO27001,andISO27018

AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttohelporganizationsachieveregulatorycommitmentsintheformofreports,certifications,accreditations,andotherthird-partyattestations.

AWSCloudComputingPlatformAWSprovidesmanycloudservicesthatyoucancombinetomeetbusinessororganizationalneeds(seeFigure1.2).Whilebeingknowledgeableaboutalltheplatformserviceswillallowyoutobeawell-roundedsolutionsarchitect,understandingtheservicesandfundamentalconceptsoutlinedinthisbookwillhelpprepareyoufortheAWSCertifiedSolutionsArchitect–Associateexam.

FIGURE1.2AWSCloudcomputingplatform

ThissectionintroducesthemajorAWSCloudservicesbycategory.Subsequentchaptersprovideadeeperviewoftheservicespertinenttotheexam.

AccessingthePlatformToaccessAWSCloudservices,youcanusetheAWSManagementConsole,theAWSCommandLineInterface(CLI),ortheAWSSoftwareDevelopmentKits(SDKs).

TheAWSManagementConsoleisawebapplicationformanagingAWSCloudservices.Theconsoleprovidesanintuitiveuserinterfaceforperformingmanytasks.Eachservicehasitsownconsole,whichcanbeaccessedfromtheAWSManagementConsole.Theconsolealsoprovidesinformationabouttheaccountandbilling.

TheAWSCommandLineInterface(CLI)isaunifiedtoolusedtomanageAWSCloudservices.Withjustonetooltodownloadandconfigure,youcancontrolmultipleservicesfromthecommandlineandautomatethemthroughscripts.

TheAWSSoftwareDevelopmentKits(SDKs)provideanapplicationprogramminginterface(API)thatinteractswiththewebservicesthatfundamentallymakeuptheAWSplatform.TheSDKsprovidesupportformanydifferentprogramminglanguagesandplatformstoallowyoutoworkwithyourpreferredlanguage.WhileyoucancertainlymakeHTTPcallsdirectly

tothewebserviceendpoints,usingtheSDKscantakethecomplexityoutofcodingbyprovidingprogrammaticaccessformanyoftheservices.

ComputeandNetworkingServicesAWSprovidesavarietyofcomputeandnetworkingservicestodelivercorefunctionalityforbusinessestodevelopandruntheirworkloads.Thesecomputeandnetworkingservicescanbeleveragedwiththestorage,database,andapplicationservicestoprovideacompletesolutionforcomputing,queryprocessing,andstorageacrossawiderangeofapplications.Thissectionoffersahigh-leveldescriptionofthecorecomputingandnetworkingservices.

AmazonElasticComputeCloud(AmazonEC2)AmazonElasticComputeCloud(AmazonEC2)isawebservicethatprovidesresizablecomputecapacityinthecloud.ItallowsorganizationstoobtainandconfigurevirtualserversinAmazon’sdatacentersandtoharnessthoseresourcestobuildandhostsoftwaresystems.Organizationscanselectfromavarietyofoperatingsystemsandresourceconfigurations(memory,CPU,storage,andsoon)thatareoptimalfortheapplicationprofileofeachworkload.AmazonEC2presentsatruevirtualcomputingenvironment,allowingorganizationstolaunchcomputeresourceswithavarietyofoperatingsystems,loadthemwithcustomapplications,andmanagenetworkaccesspermissionswhilemaintainingcompletecontrol.

AWSLambdaAWSLambdaisazero-administrationcomputeplatformforback-endwebdevelopersthatrunsyourcodeforyouontheAWSCloudandprovidesyouwithafine-grainedpricingstructure.AWSLambdarunsyourback-endcodeonitsownAWScomputefleetofAmazonEC2instancesacrossmultipleAvailabilityZonesinaregion,whichprovidesthehighavailability,security,performance,andscalabilityoftheAWSinfrastructure.

AutoScalingAutoScalingallowsorganizationstoscaleAmazonEC2capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload(seeFigure1.3).NotonlycanitbeusedtohelpmaintainapplicationavailabilityandensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.Insteadofprovisioningforpeakload,organizationscanoptimizecostsanduseonlythecapacitythatisactuallyneeded.

FIGURE1.3Autoscalingcapacity

AutoScalingiswellsuitedbothtoapplicationsthathavestabledemandpatternsandtoapplicationsthatexperiencehourly,daily,orweeklyvariabilityinusage.

ElasticLoadBalancingElasticLoadBalancingautomaticallydistributesincomingapplicationtrafficacrossmultipleAmazonEC2instancesinthecloud.Itenablesorganizationstoachievegreaterlevelsoffaulttoleranceintheirapplications,seamlesslyprovidingtherequiredamountofloadbalancingcapacityneededtodistributeapplicationtraffic.

AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetawebapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.Itprovidessupportforavarietyofplatforms,includingPHP,Java,Python,Ruby,Node.js,.NET,andGo.WithAWSElasticBeanstalk,organizationsretainfullcontrolovertheAWSresourcespoweringtheapplicationandcanaccesstheunderlyingresourcesatanytime.

AmazonVirtualPrivateCloud(AmazonVPC)AmazonVirtualPrivateCloud(AmazonVPC)letsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.Organizationshavecompletecontroloverthevirtualenvironment,includingselectionoftheIPaddressrange,creationofsubnets,andconfigurationofroutetablesand

networkgateways.Inaddition,organizationscanextendtheircorporatedatacenternetworkstoAWSbyusinghardwareorsoftwarevirtualprivatenetwork(VPN)connectionsordedicatedcircuitsbyusingAWSDirectConnect.

AWSDirectConnectAWSDirectConnectallowsorganizationstoestablishadedicatednetworkconnectionfromtheirdatacentertoAWS.UsingAWSDirectConnect,organizationscanestablishprivateconnectivitybetweenAWSandtheirdatacenter,office,orcolocationenvironment,whichinmanycasescanreducenetworkcosts,increasebandwidththroughput,andprovideamoreconsistentnetworkexperiencethanInternet-basedVPNconnections.

AmazonRoute53AmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)webservice.Itisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplicationsbytranslatinghumanreadablenames,suchaswww.example.com,intothenumericIPaddresses,suchas192.0.2.1,thatcomputersusetoconnecttoeachother.AmazonRoute53alsoservesasdomainregistrar,allowingyoutopurchaseandmanagedomainsdirectlyfromAWS.

StorageandContentDeliveryAWSprovidesavarietyofservicestomeetyourstorageneeds,suchasAmazonSimpleStorageService,AmazonCloudFront,andAmazonElasticBlockStore.Thissectionprovidesanoverviewofthestorageandcontentdeliveryservices.

AmazonSimpleStorageService(AmazonS3)AmazonSimpleStorageService(AmazonS3)providesdevelopersandITteamswithhighlydurableandscalableobjectstoragethathandlesvirtuallyunlimitedamountsofdataandlargenumbersofconcurrentusers.Organizationscanstoreanynumberofobjectsofanytype,suchasHTMLpages,sourcecodefiles,imagefiles,andencrypteddata,andaccessthemusingHTTP-basedprotocols.AmazonS3providescost-effectiveobjectstorageforawidevarietyofusecases,includingbackupandrecovery,nearlinearchive,bigdataanalytics,disasterrecovery,cloudapplications,andcontentdistribution.

AmazonGlacierAmazonGlacierisasecure,durable,andextremelylow-coststorageservicefordataarchivingandlong-termbackup.Organizationscanreliablystorelargeorsmallamountsofdataforaverylowcostpergigabytepermonth.Tokeepcostslowforcustomers,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.AmazonS3integratescloselywithAmazonGlaciertoalloworganizationstochoosetherightstoragetierfortheirworkloads.

AmazonElasticBlockStore(AmazonEBS)AmazonElasticBlockStore(AmazonEBS)providespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectorganizationsfromcomponentfailure,offeringhigh

http://www.example.com

availabilityanddurability.Bydeliveringconsistentandlow-latencyperformance,AmazonEBSprovidesthediskstorageneededtorunawidevarietyofworkloads.

AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandtheAWSstorageinfrastructure.Theservicesupportsindustry-standardstorageprotocolsthatworkwithexistingapplications.Itprovideslow-latencyperformancebymaintainingacacheoffrequentlyaccesseddataon-premiseswhilesecurelystoringallofyourdataencryptedinAmazonS3orAmazonGlacier.

AmazonCloudFrontAmazonCloudFrontisacontentdeliverywebservice.ItintegrateswithotherAWSCloudservicestogivedevelopersandbusinessesaneasywaytodistributecontenttousersacrosstheworldwithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AmazonCloudFrontcanbeusedtodeliveryourentirewebsite,includingdynamic,static,streaming,andinteractivecontent,usingaglobalnetworkofedgelocations.Requestsforcontentareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformancetoendusersaroundtheglobe.

DatabaseServicesAWSprovidesfullymanagedrelationalandNoSQLdatabaseservices,andin-memorycachingasaserviceandapetabyte-scaledatawarehousesolution.Thissectionprovidesanoverviewoftheproductsthatthedatabaseservicescomprise.

AmazonRelationalDatabaseService(AmazonRDS)AmazonRelationalDatabaseService(AmazonRDS)providesafullymanagedrelationaldatabasewithsupportformanypopularopensourceandcommercialdatabaseengines.It’sacost-efficientservicethatallowsorganizationstolaunchsecure,highlyavailable,fault-tolerant,production-readydatabasesinminutes.BecauseAmazonRDSmanagestime-consumingadministrationtasks,includingbackups,softwarepatching,monitoring,scaling,andreplication,organizationalresourcescanfocusonrevenue-generatingapplicationsandbusinessinsteadofmundaneoperationaltasks.

AmazonDynamoDBAmazonDynamoDBisafastandflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.Itisafullymanageddatabaseandsupportsbothdocumentandkey/valuedatamodels.Itsflexibledatamodelandreliableperformancemakeitagreatfitformobile,web,gaming,ad-tech,InternetofThings,andmanyotherapplications.

AmazonRedshiftAmazonRedshiftisafast,fullymanaged,petabyte-scaledatawarehouseservicethatmakesitsimpleandcosteffectivetoanalyzestructureddata.AmazonRedshiftprovidesastandardSQLinterfacethatletsorganizationsuseexistingbusinessintelligencetools.Byleveraging

columnarstoragetechnologythatimprovesI/Oefficiencyandparallelizingqueriesacrossmultiplenodes,AmazonRedshiftisabletodeliverfastqueryperformance.TheAmazonRedshiftarchitectureallowsorganizationstoautomatemostofthecommonadministrativetasksassociatedwithprovisioning,configuring,andmonitoringaclouddatawarehouse.

AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesdeployment,operation,andscalingofanin-memorycacheinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingorganizationstoretrieveinformationfromfast,managed,in-memorycaches,insteadofrelyingentirelyonslower,disk-baseddatabases.Asofthiswriting,AmazonElastiCachesupportsMemcachedandRediscacheengines.

ManagementToolsAWSprovidesavarietyoftoolsthathelporganizationsmanageyourAWSresources.ThissectionprovidesanoverviewofthemanagementtoolsthatAWSprovidestoorganizations.

AmazonCloudWatchAmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsrunningonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.ByleveragingAmazonCloudWatch,organizationscangainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth.Byusingtheseinsights,organizationscanreact,asnecessary,tokeepapplicationsrunningsmoothly.

AWSCloudFormationAWSCloudFormationgivesdevelopersandsystemsadministratorsaneffectivewaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.AWSCloudFormationdefinesaJSON-basedtemplatinglanguagethatcanbeusedtodescribealltheAWSresourcesthatarenecessaryforaworkload.TemplatescanbesubmittedtoAWSCloudFormationandtheservicewilltakecareofprovisioningandconfiguringthoseresourcesinappropriateorder(seeFigure1.4).

FIGURE1.4AWSCloudFormationworkflowsummary

AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforanaccountanddeliverslogfilesforauditandreview.TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheservice.

AWSConfigAWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistingAWSresources,exportaninventoryoftheirAWSresourceswithallconfigurationdetails,anddeterminehowaresourcewasconfiguredatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

SecurityandIdentityAWSprovidessecurityandidentityservicesthathelporganizationssecuretheirdataandsystemsonthecloud.Thefollowingsectionexplorestheseservicesatahighlevel.

AWSIdentityandAccessManagement(IAM)AWSIdentityandAccessManagement(IAM)enablesorganizationstosecurelycontrolaccesstoAWSCloudservicesandresourcesfortheirusers.UsingIAM,organizationscancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresources.

AWSKeyManagementService(KMS)AWSKeyManagementService(KMS)isamanagedservicethatmakesiteasyfororganizationstocreateandcontroltheencryptionkeysusedtoencrypttheirdataandusesHardwareSecurityModules(HSMs)toprotectthesecurityofyourkeys.AWSKMSisintegratedwithseveralotherAWSCloudservicestohelpprotectdatastoredwiththeseservices.

AWSDirectoryServiceAWSDirectoryServiceallowsorganizationstosetupandrunMicrosoftActiveDirectoryontheAWSCloudorconnecttheirAWSresourceswithanexistingon-premisesMicrosoftActiveDirectory.Organizationscanuseittomanageusersandgroups,providesinglesign-ontoapplicationsandservices,createandapplyGroupPolicies,domainjoinAmazonEC2instances,andsimplifythedeploymentandmanagementofcloud-basedLinuxandMicrosoftWindowsworkloads.

AWSCertificateManagerAWSCertificateManagerisaservicethatletsorganizationseasilyprovision,manage,anddeploySecureSocketsLayer/TransportLayerSecurity(SSL/TLS)certificatesforusewithAWSCloudservices.Itremovesthetime-consumingmanualprocessofpurchasing,uploading,andrenewingSSL/TLScertificates.WithAWSCertificateManager,organizations

canquicklyrequestacertificate,deployitonAWSresourcessuchasElasticLoadBalancingorAmazonCloudFrontdistributions,andletAWSCertificateManagerhandlecertificaterenewals.

AWSWebApplicationFirewall(WAF)AWSWebApplicationFirewall(WAF)helpsprotectwebapplicationsfromcommonattacksandexploitsthatcouldaffectapplicationavailability,compromisesecurity,orconsumeexcessiveresources.AWSWAFgivesorganizationscontroloverwhichtraffictoalloworblocktotheirwebapplicationsbydefiningcustomizablewebsecurityrules.

ApplicationServicesAWSprovidesavarietyofmanagedservicestousewithapplications.Thefollowingsectionexplorestheapplicationservicesatahighlevel.

AmazonAPIGatewayAmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.OrganizationscancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromback-endservices,suchasworkloadsrunningonAmazonEC2,coderunningonAWSLambda,oranywebapplication.AmazonAPIGatewayhandlesallthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.

AmazonElasticTranscoderAmazonElasticTranscoderismediatranscodinginthecloud.Itisdesignedtobeahighlyscalableandcost-effectivewayfordevelopersandbusinessestoconvert(ortranscode)mediafilesfromtheirsourceformatsintoversionsthatwillplaybackondeviceslikesmartphones,tablets,andPCs.

AmazonSimpleNotificationService(AmazonSNS)AmazonSimpleNotificationService(AmazonSNS)isawebservicethatcoordinatesandmanagesthedeliveryorsendingofmessagestorecipients.InAmazonSNS,therearetwotypesofclients—publishersandsubscribers—alsoreferredtoasproducersandconsumers.Publisherscommunicateasynchronouslywithsubscribersbyproducingandsendingamessagetoatopic,whichisalogicalaccesspointandcommunicationchannel.Subscribersconsumeorreceivethemessageornotificationoveroneofthesupportedprotocolswhentheyaresubscribedtothetopic.

AmazonSimpleEmailService(AmazonSES)AmazonSimpleEmailService(AmazonSES)isacost-effectiveemailservicethatorganizationscanusetosendtransactionalemail,marketingmessages,oranyothertypeofcontenttotheircustomers.AmazonSEScanalsobeusedtoreceivemessagesanddeliverthemtoanAmazonS3bucket,callcustomcodeviaanAWSLambdafunction,orpublishnotificationstoAmazonSNS.

AmazonSimpleWorkflowService(AmazonSWF)AmazonSimpleWorkflowService(AmazonSWF)helpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonSWFcanbethoughtofasafullymanagedstatetrackerandtaskcoordinatoronthecloud.Incommonarchitecturalpatterns,ifyourapplication’sstepstakemorethan500millisecondstocomplete,itisvitallyimportanttotrackthestateofprocessingandtoprovidetheabilitytorecoverorretryifataskfails.AmazonSWFhelpsorganizationsachievethisreliability.

AmazonSimpleQueueService(AmazonSQS)AmazonSimpleQueueService(AmazonSQS)isafast,reliable,scalable,fullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.

SummaryTheterm“cloudcomputing”referstotheon-demanddeliveryofITresourcesviatheInternetwithpay-as-you-gopricing.Insteadofbuying,owning,andmaintainingdatacentersandservers,organizationscanacquiretechnologysuchascomputepower,storage,databases,andotherservicesonanas-neededbasis.Withcloudcomputing,AWSmanagesandmaintainsthetechnologyinfrastructureinasecureenvironmentandbusinessesaccesstheseresourcesviatheInternettodevelopandruntheirapplications.Capacitycangroworshrinkinstantlyandbusinessespayonlyforwhattheyuse.

Cloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andhoworganizationsbudgetandpayfortechnologyservices.Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain.Understandingtheseadvantagesallowsarchitectstoshapesolutionsthatdelivercontinuousbenefitstoorganizations.

AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Thisenablesorganizationstoplaceresourcesanddatainmultiplelocationsaroundtheglobe.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingthetrustandconfidenceoforganizationsaroundtheworld.

AWSoffersabroadsetofglobalcompute,storage,database,analytics,application,anddeploymentservicesthathelporganizationsmovefaster,lowerITcosts,andscaleapplications.HavingabroadunderstandingoftheseservicesallowssolutionsarchitectstodesigneffectivedistributedapplicationsandsystemsontheAWSplatform.

ExamEssentialsUnderstandtheglobalinfrastructure.AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionislocatedinaseparategeographicareaandhasmultiple,isolatedlocationsknownasAvailabilityZones.

Understandregions.AnAWSregionisaphysicalgeographiclocationthatconsistsofaclusterofdatacenters.AWSregionsenabletheplacementofresourcesanddatainmultiplelocationsaroundtheglobe.Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.

UnderstandAvailabilityZones.AnAvailabilityZoneisoneormoredatacenterswithinaregionthataredesignedtobeisolatedfromfailuresinotherAvailabilityZones.AvailabilityZonesprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.ByplacingresourcesinseparateAvailabilityZones,organizationscanprotecttheirwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.

Understandthehybriddeploymentmodel.Ahybriddeploymentmodelisanarchitecturalpatternprovidingconnectivityforinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.

ReviewQuestions1. WhichofthefollowingdescribesaphysicallocationaroundtheworldwhereAWSclustersdatacenters?

A. Endpoint

B. Collection

C. Fleet

D. Region

2. EachAWSregioniscomposedoftwoormorelocationsthatofferorganizationstheabilitytooperateproductionsystemsthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.Whataretheselocationscalled?

A. AvailabilityZones

B. Replicationareas

C. Geographicdistricts

D. Computecenters

3. Whatisthedeploymenttermforanenvironmentthatextendsanexistingon-premisesinfrastructureintothecloudtoconnectcloudresourcestointernalsystems?

A. All-indeployment

B. Hybriddeployment

C. On-premisesdeployment

D. Scatterdeployment

4. WhichAWSCloudserviceallowsorganizationstogainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth?

A. AWSIdentityandAccessManagement(IAM)

B. AmazonSimpleNotificationService(AmazonSNS)

C. AmazonCloudWatch

D. AWSCloudFormation

5. WhichofthefollowingAWSCloudservicesisafullymanagedNoSQLdatabaseservice?

A. AmazonSimpleQueueService(AmazonSQS)

B. AmazonDynamoDB

C. AmazonElastiCache

D. AmazonRelationalDatabaseService(AmazonRDS)

6. Yourcompanyexperiencesfluctuationsintrafficpatternstotheire-commercewebsite

basedonflashsales.Whatservicecanhelpyourcompanydynamicallymatchtherequiredcomputecapacitytothespikeintrafficduringflashsales?

A. AutoScaling

B. AmazonGlacier

C. AmazonSimpleNotificationService(AmazonSNS)

D. AmazonVirtualPrivateCloud(AmazonVPC)

7. Yourcompanyprovidesanonlinephotosharingservice.Thedevelopmentteamislookingforwaystodeliverimagefileswiththelowestlatencytoenduserssothewebsitecontentisdeliveredwiththebestpossibleperformance.Whatservicecanhelpspeedupdistributionoftheseimagefilestoendusersaroundtheworld?

A. AmazonElasticComputeCloud(AmazonEC2)

B. AmazonRoute53

C. AWSStorageGateway

D. AmazonCloudFront

8. YourcompanyrunsanAmazonElasticComputeCloud(AmazonEC2)instanceperiodicallytoperformabatchprocessingjobonalargeandgrowingfilesystem.Attheendofthebatchjob,youshutdowntheAmazonEC2instancetosavemoneybutneedtopersistthefilesystemontheAmazonEC2instancefromthepreviousbatchruns.WhatAWSCloudservicecanyouleveragetomeettheserequirements?

A. AmazonElasticBlockStore(AmazonEBS)

B. AmazonDynamoDB

C. AmazonGlacier


9. WhatAWSCloudserviceprovidesalogicallyisolatedsectionoftheAWSCloudwhereorganizationscanlaunchAWSresourcesinavirtualnetworkthattheydefine?

A. AmazonSimpleWorkflowService(AmazonSWF)

B. AmazonRoute53

C. AmazonVirtualPrivateCloud(AmazonVPC)


10. YourcompanyprovidesamobilevotingapplicationforapopularTVshow,and5to25millionviewersallvoteina15-secondtimespan.Whatmechanismcanyouusetodecouplethevotingapplicationfromyourback-endservicesthattallythevotes?

A. AWSCloudTrail

B. AmazonSimpleQueueService(AmazonSQS)

C. AmazonRedshift

D. AmazonSimpleNotificationService(AmazonSNS)

Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems




Planninganddesign

Monitoringandlogging

Familiaritywith:


Developingtoclientspecifications,includingpricing/cost(e.g.,OnDemandvs.Reservedvs.Spot;RecoveryTimeObjective[RTO]andRecoveryPointObjective[RPO]disasterrecoverydesign)

Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost)

HybridITarchitectures

Elasticityandscalability


2.1IdentifytheappropriatetechniquesandmethodsusingAmazonSimpleStorageService(AmazonS3)tocodeandimplementacloudsolution.


Configureservicestosupportcompliancerequirementsinthecloud.

LaunchinstancesacrosstheAWSglobalinfrastructure.

ConfigureAWSIdentityandAccessManagement(IAM)policiesandbestpractices.

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance


SecurityArchitecturewithAWS

“Core”AmazonS3securityfeaturesets

Encryptionsolutions(e.g.,keyservices)

Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)

IntroductionThischapterisintendedtoprovideyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.

AmazonS3providesdevelopersandITteamswithsecure,durable,andhighly-scalablecloudstorage.AmazonS3iseasy-to-useobjectstoragewithasimplewebserviceinterfacethatyoucanusetostoreandretrieveanyamountofdatafromanywhereontheweb.AmazonS3alsoallowsyoutopayonlyforthestorageyouactuallyuse,whicheliminatesthecapacityplanningandcapacityconstraintsassociatedwithtraditionalstorage.

AmazonS3isoneoffirstservicesintroducedbyAWS,anditservesasoneofthefoundationalwebservices—nearlyanyapplicationrunninginAWSusesAmazonS3,eitherdirectlyorindirectly.AmazonS3canbeusedaloneorinconjunctionwithotherAWSservices,anditoffersaveryhighlevelofintegrationwithmanyotherAWScloudservices.Forexample,AmazonS3servesasthedurabletargetstorageforAmazonKinesisandAmazonElasticMapReduce(AmazonEMR),itisusedasthestorageforAmazonElasticBlockStore(AmazonEBS)andAmazonRelationalDatabaseService(AmazonRDS)snapshots,anditisusedasadatastagingorloadingstoragemechanismforAmazonRedshiftandAmazonDynamoDB,amongmanyotherfunctions.BecauseAmazonS3issoflexible,sohighlyintegrated,andsocommonlyused,itisimportanttounderstandthisserviceindetail.

CommonusecasesforAmazonS3storageinclude:

Backupandarchiveforon-premisesorclouddata

Content,media,andsoftwarestorageanddistribution

Bigdataanalytics

Staticwebsitehosting

Cloud-nativemobileandInternetapplicationhosting

Disasterrecovery

Tosupporttheseusecasesandmanymore,AmazonS3offersarangeofstorageclassesdesignedforvariousgenericusecases:generalpurpose,infrequentaccess,andarchive.Tohelpmanagedatathroughitslifecycle,AmazonS3offersconfigurablelifecyclepolicies.Byusinglifecyclepolicies,youcanhaveyourdataautomaticallymigratetothemostappropriatestorageclass,withoutmodifyingyourapplicationcode.Inordertocontrolwhohasaccesstoyourdata,AmazonS3providesarichsetofpermissions,accesscontrols,andencryptionoptions.

AmazonGlacierisanothercloudstorageservicerelatedtoAmazonS3,butoptimizedfordataarchivingandlong-termbackupatextremelylowcost.AmazonGlacierissuitablefor“colddata,”whichisdatathatisrarelyaccessedandforwhicharetrievaltimeofthreetofivehoursisacceptable.AmazonGlaciercanbeusedbothasastorageclassofAmazonS3(seeStorageClassesandObjectLifecycleManagementtopicsintheAmazonS3AdvancedFeaturessection),andasanindependentarchivalstorageservice(seetheAmazonGlaciersection).

ObjectStorageversusTraditionalBlockandFileStorageIntraditionalITenvironments,twokindsofstoragedominate:blockstorageandfilestorage.Blockstorageoperatesatalowerlevel—therawstoragedevicelevel—andmanagesdataasasetofnumbered,fixed-sizeblocks.Filestorageoperatesatahigherlevel—theoperatingsystemlevel—andmanagesdataasanamedhierarchyoffilesandfolders.BlockandfilestorageareoftenaccessedoveranetworkintheformofaStorageAreaNetwork(SAN)forblockstorage,usingprotocolssuchasiSCSIorFibreChannel,orasaNetworkAttachedStorage(NAS)fileserveror“filer”forfilestorage,usingprotocolssuchasCommonInternetFileSystem(CIFS)orNetworkFileSystem(NFS).Whetherdirectly-attachedornetwork-attached,blockorfile,thiskindofstorageisverycloselyassociatedwiththeserverandtheoperatingsystemthatisusingthestorage.

AmazonS3objectstorageissomethingquitedifferent.AmazonS3iscloudobjectstorage.Insteadofbeingcloselyassociatedwithaserver,AmazonS3storageisindependentofaserverandisaccessedovertheInternet.InsteadofmanagingdataasblocksorfilesusingSCSI,CIFS,orNFSprotocols,dataismanagedasobjectsusinganApplicationProgramInterface(API)builtonstandardHTTPverbs.

EachAmazonS3objectcontainsbothdataandmetadata.Objectsresideincontainerscalledbuckets,andeachobjectisidentifiedbyauniqueuser-specifiedkey(filename).Bucketsareasimpleflatfolderwithnofilesystemhierarchy.Thatis,youcanhavemultiplebuckets,butyoucan’thaveasub-bucketwithinabucket.Eachbucketcanholdanunlimitednumberofobjects.

ItiseasytothinkofanAmazonS3object(orthedataportionofanobject)asafile,andthekeyasthefilename.However,keepinmindthatAmazonS3isnotatraditionalfilesystemanddiffersinsignificantways.InAmazonS3,youGETanobjectorPUTanobject,operatingonthewholeobjectatonce,insteadofincrementallyupdatingportionsoftheobjectasyouwouldwithafile.Youcan’t“mount”abucket,“open”anobject,installanoperatingsystemonAmazonS3,orrunadatabaseonit.

Insteadofafilesystem,AmazonS3ishighly-durableandhighly-scalableobjectstoragethatisoptimizedforreadsandisbuiltwithanintentionallyminimalisticfeatureset.Itprovidesasimpleandrobustabstractionforfilestoragethatfreesyoufrommanyunderlyingdetailsthatyounormallydohavetodealwithintraditionalstorage.Forexample,withAmazonS3youdon’thavetoworryaboutdeviceorfilesystemstoragelimitsandcapacityplanning—asinglebucketcanstoreanunlimitednumberoffiles.Youalsodon’tneedtoworryaboutdatadurabilityorreplicationacrossavailabilityzones—AmazonS3objectsareautomaticallyreplicatedonmultipledevicesinmultiplefacilitieswithinaregion.Thesamewithscalability—ifyourrequestrategrowssteadily,AmazonS3automaticallypartitionsbucketstosupportveryhighrequestratesandsimultaneousaccessbymanyclients.

IfyouneedtraditionalblockorfilestorageinadditiontoAmazonS3storage,AWSprovidesoptions.TheAmazonEBSserviceprovidesblocklevelstorageforAmazonElasticComputeCloud(AmazonEC2)instances.AmazonElasticFileSystem(AWSEFS)providesnetwork-attachedsharedfilestorage(NASstorage)usingtheNFSv4protocol.

AmazonSimpleStorageService(AmazonS3)BasicsNowthatyouhaveanunderstandingofsomeofthekeydifferencesbetweentraditionalblockandfilestorageversuscloudobjectstorage,wecanexplorethebasicsofAmazonS3inmoredetail.

BucketsAbucketisacontainer(webfolder)forobjects(files)storedinAmazonS3.EveryAmazonS3objectiscontainedinabucket.Bucketsformthetop-levelnamespaceforAmazonS3,andbucketnamesareglobal.ThismeansthatyourbucketnamesmustbeuniqueacrossallAWSaccounts,muchlikeDomainNameSystem(DNS)domainnames,notjustwithinyourownaccount.Bucketnamescancontainupto63lowercaseletters,numbers,hyphens,andperiods.Youcancreateandusemultiplebuckets;youcanhaveupto100peraccountbydefault.

ItisabestpracticetousebucketnamesthatcontainyourdomainnameandconformtotherulesforDNSnames.Thisensuresthatyourbucketnamesareyourown,canbeusedinallregions,andcanhoststaticwebsites.

AWSRegionsEventhoughthenamespaceforAmazonS3bucketsisglobal,eachAmazonS3bucketiscreatedinaspecificregionthatyouchoose.Thisletsyoucontrolwhereyourdataisstored.Youcancreateandusebucketsthatarelocatedclosetoaparticularsetofendusersorcustomersinordertominimizelatency,orlocatedinaparticularregiontosatisfydatalocalityandsovereigntyconcerns,orlocatedfarawayfromyourprimaryfacilitiesinordertosatisfydisasterrecoveryandcomplianceneeds.Youcontrolthelocationofyourdata;datainanAmazonS3bucketisstoredinthatregionunlessyouexplicitlycopyittoanotherbucketlocatedinadifferentregion.

ObjectsObjectsaretheentitiesorfilesstoredinAmazonS3buckets.Anobjectcanstorevirtuallyanykindofdatainanyformat.Objectscanrangeinsizefrom0bytesupto5TB,andasinglebucketcanstoreanunlimitednumberofobjects.ThismeansthatAmazonS3canstoreavirtuallyunlimitedamountofdata.

Eachobjectconsistsofdata(thefileitself)andmetadata(dataaboutthefile).ThedataportionofanAmazonS3objectisopaquetoAmazonS3.Thismeansthatanobject’sdataistreatedassimplyastreamofbytes—AmazonS3doesn’tknoworcarewhattypeofdatayouarestoring,andtheservicedoesn’tactdifferentlyfortextdataversusbinarydata.

ThemetadataassociatedwithanAmazonS3objectisasetofname/valuepairsthatdescribetheobject.Therearetwotypesofmetadata:systemmetadataandusermetadata.SystemmetadataiscreatedandusedbyAmazonS3itself,anditincludesthingslikethedatelastmodified,objectsize,MD5digest,andHTTPContent-Type.Usermetadataisoptional,anditcanonlybespecifiedatthetimeanobjectiscreated.Youcanusecustommetadatatotagyourdatawithattributesthataremeaningfultoyou.

Keys

EveryobjectstoredinanS3bucketisidentifiedbyauniqueidentifiercalledakey.Youcanthinkofthekeyasafilename.Akeycanbeupto1024bytesofUnicodeUTF-8characters,includingembeddedslashes,backslashes,dots,anddashes.

Keysmustbeuniquewithinasinglebucket,butdifferentbucketscancontainobjectswiththesamekey.Thecombinationofbucket,key,andoptionalversionIDuniquelyidentifiesanAmazonS3object.

ObjectURLAmazonS3isstoragefortheInternet,andeveryAmazonS3objectcanbeaddressedbyauniqueURLformedusingthewebservicesendpoint,thebucketname,andtheobjectkey.Forexample,withtheURL:http://mybucket.s3.amazonaws.com/jack.doc

mybucketistheS3bucketname,andjack.docisthekeyorfilename.Ifanotherobjectiscreated,forinstance:http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc

thenthebucketnameisstillmybucket,butnowthekeyorfilenameisthestringfee/fi/fo/fum/jack.doc.AkeymaycontaindelimitercharacterslikeslashesorbackslashestohelpyounameandlogicallyorganizeyourAmazonS3objects,buttoAmazonS3itissimplyalongkeynameinaflatnamespace.Thereisnoactualfileandfolderhierarchy.Seethetopic“PrefixesandDelimiters”inthe“AmazonS3AdvancedFeatures”sectionthatfollowsformoreinformation.

Forconvenience,theAmazonS3consoleandthePrefixandDelimiterfeatureallowyoutonavigatewithinanAmazonS3bucketasiftherewereafolderhierarchy.However,rememberthatabucketisasingleflatnamespaceofkeyswithnostructure.

AmazonS3OperationsTheAmazonS3APIisintentionallysimple,withonlyahandfulofcommonoperations.Theyinclude:

Create/deleteabucket

Writeanobject

Readanobject

Deleteanobject

Listkeysinabucket

RESTInterfaceThenativeinterfaceforAmazonS3isaREST(RepresentationalStateTransfer)API.WiththeRESTinterface,youusestandardHTTPorHTTPSrequeststocreateanddeletebuckets,listkeys,andreadandwriteobjects.RESTmapsstandardHTTP“verbs”(HTTPmethods)to

http://mybucket.s3.amazonaws.com/jack.doc

http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc

thefamiliarCRUD(Create,Read,Update,Delete)operations.CreateisHTTPPUT(andsometimesPOST);readisHTTPGET;deleteisHTTPDELETE;andupdateisHTTPPOST(orsometimesPUT).

AlwaysuseHTTPSforAmazonS3APIrequeststoensurethatyourrequestsanddataaresecure.

Inmostcases,usersdonotusetheRESTinterfacedirectly,butinsteadinteractwithAmazonS3usingoneofthehigher-levelinterfacesavailable.TheseincludetheAWSSoftwareDevelopmentKits(SDKs)(wrapperlibraries)foriOS,Android,JavaScript,Java,.NET,Node.js,PHP,Python,Ruby,Go,andC++,theAWSCommandLineInterface(CLI),andtheAWSManagementConsole.

AmazonS3originallysupportedaSOAP(SimpleObjectAccessProtocol)APIinadditiontotheRESTAPI,butyoushouldusetheRESTAPI.ThelegacyHTTPSendpointisstillavailable,butnewfeaturesarenotsupported.

DurabilityandAvailabilityDatadurabilityandavailabilityarerelatedbutslightlydifferentconcepts.Durabilityaddressesthequestion,“Willmydatastillbethereinthefuture?”Availabilityaddressesthequestion,“CanIaccessmydatarightnow?”AmazonS3isdesignedtoprovidebothveryhighdurabilityandveryhighavailabilityforyourdata.

AmazonS3standardstorageisdesignedfor99.999999999%durabilityand99.99%availabilityofobjectsoveragivenyear.Forexample,ifyoustore10,000objectswithAmazonS3,youcanonaverageexpecttoincuralossofasingleobjectonceevery10,000,000years.AmazonS3achieveshighdurabilitybyautomaticallystoringdataredundantlyonmultipledevicesinmultiplefacilitieswithinaregion.Itisdesignedtosustaintheconcurrentlossofdataintwofacilitieswithoutlossofuserdata.AmazonS3providesahighlydurablestorageinfrastructuredesignedformission-criticalandprimarydatastorage.

Ifyouneedtostorenon-criticaloreasilyreproduciblederiveddata(suchasimagethumbnails)thatdoesn’trequirethishighlevelofdurability,youcanchoosetouseReducedRedundancyStorage(RRS)atalowercost.RRSoffers99.99%durabilitywithalowercostofstoragethantraditionalAmazonS3storage.

EventhoughAmazonS3storageoffersveryhighdurabilityattheinfrastructurelevel,itisstillabestpracticetoprotectagainstuser-levelaccidentaldeletionoroverwritingofdatabyusingadditionalfeaturessuchasversioning,cross-regionreplication,andMFADelete.

DataConsistencyAmazonS3isaneventuallyconsistentsystem.Becauseyourdataisautomaticallyreplicatedacrossmultipleserversandlocationswithinaregion,changesinyourdatamaytakesometimetopropagatetoalllocations.Asaresult,therearesomesituationswhereinformationthatyoureadimmediatelyafteranupdatemayreturnstaledata.

ForPUTstonewobjects,thisisnotaconcern—inthiscase,AmazonS3providesread-after-writeconsistency.However,forPUTstoexistingobjects(objectoverwritetoanexistingkey)andforobjectDELETEs,AmazonS3provideseventualconsistency.

EventualconsistencymeansthatifyouPUTnewdatatoanexistingkey,asubsequentGETmightreturntheolddata.Similarly,ifyouDELETEanobject,asubsequentGETforthatobjectmightstillreadthedeletedobject.Inallcases,updatestoasinglekeyareatomic—foreventually-consistentreads,youwillgetthenewdataortheolddata,butneveraninconsistentmixofdata.

AccessControlAmazonS3issecurebydefault;whenyoucreateabucketorobjectinAmazonS3,onlyyouhaveaccess.Toallowyoutogivecontrolledaccesstoothers,AmazonS3providesbothcoarse-grainedaccesscontrols(AmazonS3AccessControlLists[ACLs]),andfine-grainedaccesscontrols(AmazonS3bucketpolicies,AWSIdentityandAccessManagement[IAM]policies,andquery-stringauthentication).

AmazonS3ACLsallowyoutograntcertaincoarse-grainedpermissions:READ,WRITE,orFULL-CONTROLattheobjectorbucketlevel.ACLsarealegacyaccesscontrolmechanism,createdbeforeIAMexisted.ACLsarebestusedtodayforalimitedsetofusecases,suchasenablingbucketloggingormakingabucketthathostsastaticwebsitebeworld-readable.

AmazonS3bucketpoliciesaretherecommendedaccesscontrolmechanismforAmazonS3andprovidemuchfiner-grainedcontrol.AmazonS3bucketpoliciesareverysimilartoIAMpolicies,whichwerediscussedinChapter6,“AWSIdentityandAccessManagement(IAM),”butaresubtlydifferentinthat:

TheyareassociatedwiththebucketresourceinsteadofanIAMprincipal.

TheyincludeanexplicitreferencetotheIAMprincipalinthepolicy.ThisprincipalcanbeassociatedwithadifferentAWSaccount,soAmazonS3bucketpoliciesallowyoutoassigncross-accountaccesstoAmazonS3resources.

UsinganAmazonS3bucketpolicy,youcanspecifywhocanaccessthebucket,fromwhere(byClasslessInter-DomainRouting[CIDR]blockorIPaddress),andduringwhattimeofday.

Finally,IAMpoliciesmaybeassociateddirectlywithIAMprincipalsthatgrantaccesstoanAmazonS3bucket,justasitcangrantaccesstoanyAWSserviceandresource.Obviously,youcanonlyassignIAMpoliciestoprincipalsinAWSaccountsthatyoucontrol.

StaticWebsiteHostingAverycommonusecaseforAmazonS3storageisstaticwebsitehosting.Manywebsites,particularlymicro-sites,don’tneedtheservicesofafullwebserver.Astaticwebsitemeans

thatallofthepagesofthewebsitecontainonlystaticcontentanddonotrequireserver-sideprocessingsuchasPHP,ASP.NET,orJSP.(Notethatthisdoesnotmeanthatthewebsitecannotbeinteractiveanddynamic;thiscanbeaccomplishedwithclient-sidescripts,suchasJavaScriptembeddedinstaticHTMLwebpages.)Staticwebsiteshavemanyadvantages:theyareveryfast,veryscalable,andcanbemoresecurethanatypicaldynamicwebsite.IfyouhostastaticwebsiteonAmazonS3,youcanalsoleveragethesecurity,durability,availability,andscalabilityofAmazonS3.

BecauseeveryAmazonS3objecthasaURL,itisrelativelystraightforwardtoturnabucketintoawebsite.Tohostastaticwebsite,yousimplyconfigureabucketforwebsitehostingandthenuploadthecontentofthestaticwebsitetothebucket.

ToconfigureanAmazonS3bucketforstaticwebsitehosting:

1. Createabucketwiththesamenameasthedesiredwebsitehostname.

2. Uploadthestaticfilestothebucket.

3. Makeallthefilespublic(worldreadable).

4. Enablestaticwebsitehostingforthebucket.ThisincludesspecifyinganIndexdocumentandanErrordocument.

5. ThewebsitewillnowbeavailableattheS3websiteURL:

<bucket-name>.s3-website-<AWS-region>.amazonaws.com.

6. CreateafriendlyDNSnameinyourowndomainforthewebsiteusingaDNSCNAME,oranAmazonRoute53aliasthatresolvestotheAmazonS3websiteURL.

7. Thewebsitewillnowbeavailableatyourwebsitedomainname.

AmazonS3AdvancedFeaturesBeyondthebasics,therearesomeadvancedfeaturesofAmazonS3thatyoushouldalsobefamiliarwith.

PrefixesandDelimitersWhileAmazonS3usesaflatstructureinabucket,itsupportstheuseofprefixanddelimiterparameterswhenlistingkeynames.Thisfeatureletsyouorganize,browse,andretrievetheobjectswithinabuckethierarchically.Typically,youwoulduseaslash(/)orbackslash(\)asadelimiterandthenusekeynameswithembeddeddelimiterstoemulateafileandfolderhierarchywithintheflatobjectkeynamespaceofabucket.

Forexample,youmightwanttostoreaseriesofserverlogsbyservername(suchasserver42),butorganizedbyyearandmonth,likeso:

logs/2016/January/server42.log

logs/2016/February/server42.log

logs/2016/March/server42.log

TheRESTAPI,wrapperSDKs,AWSCLI,andtheAmazonManagementConsoleallsupporttheuseofdelimitersandprefixes.Thisfeatureletsyoulogicallyorganizenewdataandeasilymaintainthehierarchicalfolder-and-filestructureofexistingdatauploadedorbackedupfromtraditionalfilesystems.UsedtogetherwithIAMorAmazonS3bucketpolicies,prefixesanddelimitersalsoallowyoutocreatetheequivalentofdepartmental“subdirectories”oruser“homedirectories”withinasinglebucket,restrictingorsharingaccesstothese“subdirectories”(definedbyprefixes)asneeded.

UsedelimitersandobjectprefixestohierarchicallyorganizetheobjectsinyourAmazonS3buckets,butalwaysrememberthatAmazonS3isnotreallyafilesystem.

StorageClassesAmazonS3offersarangeofstorageclassessuitableforvarioususecases.

AmazonS3Standardoffershighdurability,highavailability,lowlatency,andhighperformanceobjectstorageforgeneralpurposeuse.Becauseitdeliverslowfirst-bytelatencyandhighthroughput,Standardiswell-suitedforshort-termorlong-termstorageoffrequentlyaccesseddata.Formostgeneralpurposeusecases,AmazonS3Standardistheplacetostart.

AmazonS3Standard–InfrequentAccess(Standard-IA)offersthesamedurability,lowlatency,andhighthroughputasAmazonS3Standard,butisdesignedforlong-lived,lessfrequentlyaccesseddata.Standard-IAhasalowerperGB-monthstoragecostthanStandard,butthepricemodelalsoincludesaminimumobjectsize(128KB),minimumduration(30days),andper-GBretrievalcosts,soitisbestsuitedforinfrequentlyaccesseddatathatisstoredforlongerthan30days.

AmazonS3ReducedRedundancyStorage(RRS)offersslightlylowerdurability(4nines)thanStandardorStandard-IAatareducedcost.Itismostappropriateforderiveddatathatcanbeeasilyreproduced,suchasimagethumbnails.

Finally,theAmazonGlacierstorageclassofferssecure,durable,andextremelylow-costcloudstoragefordatathatdoesnotrequirereal-timeaccess,suchasarchivesandlong-termbackups.Tokeepcostslow,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.ToretrieveanAmazonGlacierobject,youissuearestorecommandusingoneoftheAmazonS3APIs;threetofivehourslater,theAmazonGlacierobjectiscopiedtoAmazonS3RRS.NotethattherestoresimplycreatesacopyinAmazonS3RRS;theoriginaldataobjectremainsinAmazonGlacieruntilexplicitlydeleted.AlsobeawarethatAmazonGlacierallowsyoutoretrieveupto5%oftheAmazonS3datastoredinAmazonGlacierforfreeeachmonth;restoresbeyondthedailyrestoreallowanceincurarestorefee.RefertotheAmazonGlacierpricingpageontheAWSwebsiteforfulldetails.

InadditiontoactingasastoragetierinAmazonS3,AmazonGlacierisalsoastandalonestorageservicewithaseparateAPIandsomeuniquecharacteristics.However,whenyouuseAmazonGlacierasastorageclassofAmazonS3,youalwaysinteractwiththedataviatheAmazonS3APIs.RefertotheAmazonGlaciersectionformoredetails.

SetadataretrievalpolicytolimitrestorestothefreetierortoamaximumGB-per-hourlimittoavoidorminimizeAmazonGlacierrestorefees.

ObjectLifecycleManagementAmazonS3ObjectLifecycleManagementisroughlyequivalenttoautomatedstoragetieringintraditionalITstorageinfrastructures.Inmanycases,datahasanaturallifecycle,startingoutas“hot”(frequentlyaccessed)data,movingto“warm”(lessfrequentlyaccessed)dataasitages,andendingitslifeas“cold”(long-termbackuporarchive)databeforeeventualdeletion.

Forexample,manybusinessdocumentsarefrequentlyaccessedwhentheyarecreated,thenbecomemuchlessfrequentlyaccessedovertime.Inmanycases,however,compliancerulesrequirebusinessdocumentstobearchivedandkeptaccessibleforyears.Similarly,studiesshowthatfile,operatingsystem,anddatabasebackupsaremostfrequentlyaccessedinthefirstfewdaysaftertheyarecreated,usuallytorestoreafteraninadvertenterror.Afteraweekortwo,thesebackupsremainacriticalasset,buttheyaremuchlesslikelytobeaccessedforarestore.Inmanycases,compliancerulesrequirethatacertainnumberofbackupsbekeptforseveralyears.

UsingAmazonS3lifecycleconfigurationrules,youcansignificantlyreduceyourstoragecostsbyautomaticallytransitioningdatafromonestorageclasstoanotherorevenautomaticallydeletingdataafteraperiodoftime.Forexample,thelifecyclerulesforbackupdatamightbe:

StorebackupdatainitiallyinAmazonS3Standard.

After30days,transitiontoAmazonStandard-IA.

After90days,transitiontoAmazonGlacier.

After3years,delete.

Lifecycleconfigurationsareattachedtothebucketandcanapplytoallobjectsinthebucketoronlytoobjectsspecifiedbyaprefix.

EncryptionItisstronglyrecommendedthatallsensitivedatastoredinAmazonS3beencrypted,bothinflightandatrest.

ToencryptyourAmazonS3datainflight,youcanusetheAmazonS3SecureSocketsLayer(SSL)APIendpoints.ThisensuresthatalldatasenttoandfromAmazonS3isencryptedwhileintransitusingtheHTTPSprotocol.

ToencryptyourAmazonS3dataatrest,youcanuseseveralvariationsofServer-SideEncryption(SSE).AmazonS3encryptsyourdataattheobjectlevelasitwritesittodisksinitsdatacentersanddecryptsitforyouwhenyouaccessit.AllSSEperformedbyAmazonS3andAWSKeyManagementService(AmazonKMS)usesthe256-bitAdvancedEncryptionStandard(AES).YoucanalsoencryptyourAmazonS3dataatrestusingClient-SideEncryption,encryptingyourdataontheclientbeforesendingittoAmazonS3.

SSE-S3(AWS-ManagedKeys)Thisisafullyintegrated“check-box-style”encryptionsolutionwhereAWShandlesthekeymanagementandkeyprotectionforAmazonS3.Everyobjectisencryptedwithauniquekey.Theactualobjectkeyitselfisthenfurtherencryptedbyaseparatemasterkey.Anewmasterkeyisissuedatleastmonthly,withAWSrotatingthekeys.Encrypteddata,encryptionkeys,andmasterkeysareallstoredseparatelyonsecurehosts,furtherenhancingprotection.

SSE-KMS(AWSKMSKeys)ThisisafullyintegratedsolutionwhereAmazonhandlesyourkeymanagementandprotectionforAmazonS3,butwhereyoumanagethekeys.SSE-KMSoffersseveraladditionalbenefitscomparedtoSSE-S3.UsingSSE-KMS,thereareseparatepermissionsforusingthemasterkey,whichprovideprotectionagainstunauthorizedaccesstoyourobjectsstoredinAmazonS3andanadditionallayerofcontrol.AWSKMSalsoprovidesauditing,soyoucanseewhousedyourkeytoaccesswhichobjectandwhentheytriedtoaccessthisobject.AWSKMSalsoallowsyoutoviewanyfailedattemptstoaccessdatafromuserswhodidnothavepermissiontodecryptthedata.

SSE-C(Customer-ProvidedKeys)Thisisusedwhenyouwanttomaintainyourownencryptionkeysbutdon’twanttomanageorimplementyourownclient-sideencryptionlibrary.WithSSE-C,AWSwilldotheencryption/decryptionofyourobjectswhileyoumaintainfullcontrolofthekeysusedtoencrypt/decrypttheobjectsinAmazonS3.

Client-SideEncryptionClient-sideencryptionreferstoencryptingdataontheclientsideofyourapplicationbeforesendingittoAmazonS3.Youhavethefollowingtwooptionsforusingdataencryptionkeys:

UseanAWSKMS-managedcustomermasterkey.

Useaclient-sidemasterkey.

Whenusingclient-sideencryption,youretainend-to-endcontroloftheencryptionprocess,includingmanagementoftheencryptionkeys.

Formaximumsimplicityandeaseofuse,useserver-sideencryptionwithAWS-managedkeys(SSE-S3orSSE-KMS).

VersioningAmazonS3versioninghelpsprotectsyourdataagainstaccidentalormaliciousdeletionbykeepingmultipleversionsofeachobjectinthebucket,identifiedbyauniqueversionID.Versioningallowsyoutopreserve,retrieve,andrestoreeveryversionofeveryobjectstoredinyourAmazonS3bucket.IfausermakesanaccidentalchangeorevenmaliciouslydeletesanobjectinyourS3bucket,youcanrestoretheobjecttoitsoriginalstatesimplybyreferencingtheversionIDinadditiontothebucketandobjectkey.Versioningisturnedonatthebucketlevel.Onceenabled,versioningcannotberemovedfromabucket;itcanonlybesuspended.

MFADeleteMFADeleteaddsanotherlayerofdataprotectionontopofbucketversioning.MFADeleterequiresadditionalauthenticationinordertopermanentlydeleteanobjectversionorchangetheversioningstateofabucket.Inadditiontoyournormalsecuritycredentials,MFADeleterequiresanauthenticationcode(atemporary,one-timepassword)generatedbyahardwareorvirtualMulti-FactorAuthentication(MFA)device.NotethatMFADeletecanonlybeenabledbytherootaccount.

Pre-SignedURLsAllAmazonS3objectsbydefaultareprivate,meaningthatonlytheownerhasaccess.However,theobjectownercanoptionallyshareobjectswithothersbycreatingapre-signedURL,usingtheirownsecuritycredentialstogranttime-limitedpermissiontodownloadtheobjects.Whenyoucreateapre-signedURLforyourobject,youmustprovideyoursecuritycredentialsandspecifyabucketname,anobjectkey,theHTTPmethod(GETtodownloadtheobject),andanexpirationdateandtime.Thepre-signedURLsarevalidonlyforthespecifiedduration.Thisisparticularlyusefultoprotectagainst“contentscraping”ofwebcontentsuchasmediafilesstoredinAmazonS3.

MultipartUploadTobettersupportuploadingorcopyingoflargeobjects,AmazonS3providestheMultipartUploadAPI.Thisallowsyoutouploadlargeobjectsasasetofparts,whichgenerallygivesbetternetworkutilization(throughparalleltransfers),theabilitytopauseandresume,andtheabilitytouploadobjectswherethesizeisinitiallyunknown.

Multipartuploadisathree-stepprocess:initiation,uploadingtheparts,andcompletion(or

abort).Partscanbeuploadedindependentlyinarbitraryorder,withretransmissionifneeded.Afterallofthepartsareuploaded,AmazonS3assemblesthepartsinordertocreateanobject.

Ingeneral,youshouldusemultipartuploadforobjectslargerthan100Mbytes,andyoumustusemultipartuploadforobjectslargerthan5GB.Whenusingthelow-levelAPIs,youmustbreakthefiletobeuploadedintopartsandkeeptrackoftheparts.Whenusingthehigh-levelAPIsandthehigh-levelAmazonS3commandsintheAWSCLI(awss3cp,awss3mv,andawss3sync),multipartuploadisautomaticallyperformedforlargeobjects.

Youcansetanobjectlifecyclepolicyonabuckettoabortincompletemultipartuploadsafteraspecifiednumberofdays.Thiswillminimizethestoragecostsassociatedwithmultipartuploadsthatwerenotcompleted.

RangeGETsItispossibletodownload(GET)onlyaportionofanobjectinbothAmazonS3andAmazonGlacierbyusingsomethingcalledaRangeGET.UsingtheRangeHTTPheaderintheGETrequestorequivalentparametersinoneoftheSDKwrapperlibraries,youspecifyarangeofbytesoftheobject.ThiscanbeusefulindealingwithlargeobjectswhenyouhavepoorconnectivityortodownloadonlyaknownportionofalargeAmazonGlacierbackup.

Cross-RegionReplicationCross-regionreplicationisafeatureofAmazonS3thatallowsyoutoasynchronouslyreplicateallnewobjectsinthesourcebucketinoneAWSregiontoatargetbucketinanotherregion.AnymetadataandACLsassociatedwiththeobjectarealsopartofthereplication.Afteryousetupcross-regionreplicationonyoursourcebucket,anychangestothedata,metadata,orACLsonanobjecttriggeranewreplicationtothedestinationbucket.Toenablecross-regionreplication,versioningmustbeturnedonforbothsourceanddestinationbuckets,andyoumustuseanIAMpolicytogiveAmazonS3permissiontoreplicateobjectsonyourbehalf.

Cross-regionreplicationiscommonlyusedtoreducethelatencyrequiredtoaccessobjectsinAmazonS3byplacingobjectsclosertoasetofusersortomeetrequirementstostorebackupdataatacertaindistancefromtheoriginalsourcedata.

Ifturnedoninanexistingbucket,cross-regionreplicationwillonlyreplicatenewobjects.Existingobjectswillnotbereplicatedandmustbecopiedtothenewbucketviaaseparatecommand.

LoggingInordertotrackrequeststoyourAmazonS3bucket,youcanenableAmazonS3serveraccesslogs.Loggingisoffbydefault,butitcaneasilybeenabled.Whenyouenableloggingfora

bucket(thesourcebucket),youmustchoosewherethelogswillbestored(thetargetbucket).Youcanstoreaccesslogsinthesamebucketorinadifferentbucket.Eitherway,itisoptional(butabestpractice)tospecifyaprefix,suchaslogs/oryourbucketname/logs/,sothatyoucanmoreeasilyidentifyyourlogs.

Onceenabled,logsaredeliveredonabest-effortbasiswithaslightdelay.Logsincludeinformationsuchas:

RequestoraccountandIPaddress

Bucketname

Requesttime

Action(GET,PUT,LIST,andsoforth)

Responsestatusorerrorcode

EventNotificationsAmazonS3eventnotificationscanbesentinresponsetoactionstakenonobjectsuploadedorstoredinAmazonS3.Eventnotificationsenableyoutorunworkflows,sendalerts,orperformotheractionsinresponsetochangesinyourobjectsstoredinAmazonS3.YoucanuseAmazonS3eventnotificationstosetuptriggerstoperformactions,suchastranscodingmediafileswhentheyareuploaded,processingdatafileswhentheybecomeavailable,andsynchronizingAmazonS3objectswithotherdatastores.

AmazonS3eventnotificationsaresetupatthebucketlevel,andyoucanconfigurethemthroughtheAmazonS3console,throughtheRESTAPI,orbyusinganAWSSDK.AmazonS3canpublishnotificationswhennewobjectsarecreated(byaPUT,POST,COPY,ormultipartuploadcompletion),whenobjectsareremoved(byaDELETE),orwhenAmazonS3detectsthatanRRSobjectwaslost.Youcanalsosetupeventnotificationsbasedonobjectnameprefixesandsuffixes.NotificationmessagescanbesentthrougheitherAmazonSimpleNotificationService(AmazonSNS)orAmazonSimpleQueueService(AmazonSQS)ordelivereddirectlytoAWSLambdatoinvokeAWSLambdafunctions.

BestPractices,Patterns,andPerformanceItisacommonpatterntouseAmazonS3storageinhybridITenvironmentsandapplications.Forexample,datainon-premisesfilesystems,databases,andcompliancearchivescaneasilybebackedupovertheInternettoAmazonS3orAmazonGlacier,whiletheprimaryapplicationordatabasestorageremainson-premises.

AnothercommonpatternistouseAmazonS3asbulk“blob”storagefordata,whilekeepinganindextothatdatainanotherservice,suchasAmazonDynamoDBorAmazonRDS.Thisallowsquicksearchesandcomplexqueriesonkeynameswithoutlistingkeyscontinually.

AmazonS3willscaleautomaticallytosupportveryhighrequestrates,automaticallyre-partitioningyourbucketsasneeded.Ifyouneedrequestrateshigherthan100requestspersecond,youmaywanttoreviewtheAmazonS3bestpracticesguidelinesintheDeveloperGuide.Tosupporthigherrequestrates,itisbesttoensuresomelevelofrandomdistributionofkeys,forexamplebyincludingahashasaprefixtokeynames.

IfyouareusingAmazonS3inaGET-intensivemode,suchasastaticwebsitehosting,forbestperformanceyoushouldconsiderusinganAmazonCloudFrontdistributionasacachinglayerinfrontofyourAmazonS3bucket.

AmazonGlacierAmazonGlacierisanextremelylow-coststorageservicethatprovidesdurable,secure,andflexiblestoragefordataarchivingandonlinebackup.Tokeepcostslow,AmazonGlacierisdesignedforinfrequentlyaccesseddatawherearetrievaltimeofthreetofivehoursisacceptable.

AmazonGlaciercanstoreanunlimitedamountofvirtuallyanykindofdata,inanyformat.CommonusecasesforAmazonGlacierincludereplacementoftraditionaltapesolutionsforlong-termbackupandarchiveandstorageofdatarequiredforcompliancepurposes.Inmostcases,thedatastoredinAmazonGlacierconsistsoflargeTAR(TapeArchive)orZIPfiles.

LikeAmazonS3,AmazonGlacierisextremelydurable,storingdataonmultipledevicesacrossmultiplefacilitiesinaregion.AmazonGlacierisdesignedfor99.999999999%durabilityofobjectsoveragivenyear.

ArchivesInAmazonGlacier,dataisstoredinarchives.Anarchivecancontainupto40TBofdata,andyoucanhaveanunlimitednumberofarchives.EacharchiveisassignedauniquearchiveIDatthetimeofcreation.(UnlikeanAmazonS3objectkey,youcannotspecifyauser-friendlyarchivename.)Allarchivesareautomaticallyencrypted,andarchivesareimmutable—afteranarchiveiscreated,itcannotbemodified.

VaultsVaultsarecontainersforarchives.EachAWSaccountcanhaveupto1,000vaults.YoucancontrolaccesstoyourvaultsandtheactionsallowedusingIAMpoliciesorvaultaccesspolicies.

VaultsLocksYoucaneasilydeployandenforcecompliancecontrolsforindividualAmazonGlaciervaultswithavaultlockpolicy.YoucanspecifycontrolssuchasWriteOnceReadMany(WORM)inavaultlockpolicyandlockthepolicyfromfutureedits.Oncelocked,thepolicycannolongerbechanged.

DataRetrievalYoucanretrieveupto5%ofyourdatastoredinAmazonGlacierforfreeeachmonth,calculatedonadailyproratedbasis.Ifyouretrievemorethan5%,youwillincurretrievalfeesbasedonyourmaximumretrievalrate.Toeliminateorminimizethosefees,youcansetadataretrievalpolicyonavaulttolimityourretrievalstothefreetierortoaspecifieddatarate.

AmazonGlacierversusAmazonSimpleStorageService(AmazonS3)AmazonGlacierissimilartoAmazonS3,butitdiffersinseveralkeyaspects.AmazonGlaciersupports40TBarchivesversus5TBobjectsinAmazonS3.ArchivesinAmazonGlacierare

identifiedbysystem-generatedarchiveIDs,whileAmazonS3letsyouuse“friendly”keynames.AmazonGlacierarchivesareautomaticallyencrypted,whileencryptionatrestisoptionalinAmazonS3.However,byusingAmazonGlacierasanAmazonS3storageclasstogetherwithobjectlifecyclepolicies,youcanusetheAmazonS3interfacetogetmostofthebenefitsofAmazonGlacierwithoutlearninganewinterface.

SummaryAmazonS3isthecoreobjectstorageserviceonAWS,allowingyoutostoreanunlimitedamountofdatawithveryhighdurability.

CommonAmazonS3usecasesincludebackupandarchive,webcontent,bigdataanalytics,staticwebsitehosting,mobileandcloud-nativeapplicationhosting,anddisasterrecovery.

AmazonS3isintegratedwithmanyotherAWScloudservices,includingAWSIAM,AWSKMS,AmazonEC2,AmazonEBS,AmazonEMR,AmazonDynamoDB,AmazonRedshift,AmazonSQS,AWSLambda,andAmazonCloudFront.

Objectstoragediffersfromtraditionalblockandfilestorage.Blockstoragemanagesdataatadevicelevelasaddressableblocks,whilefilestoragemanagesdataattheoperatingsystemlevelasfilesandfolders.Objectstoragemanagesdataasobjectsthatcontainbothdataandmetadata,manipulatedbyanAPI.

AmazonS3bucketsarecontainersforobjectsstoredinAmazonS3.Bucketnamesmustbegloballyunique.Eachbucketiscreatedinaspecificregion,anddatadoesnotleavetheregionunlessexplicitlycopiedbytheuser.

AmazonS3objectsarefilesstoredinbuckets.Objectscanbeupto5TBandcancontainanykindofdata.Objectscontainbothdataandmetadataandareidentifiedbykeys.EachAmazonS3objectcanbeaddressedbyauniqueURLformedbythewebservicesendpoint,thebucketname,andtheobjectkey.

AmazonS3hasaminimalisticAPI—create/deleteabucket,read/write/deleteobjects,listkeysinabucket—andusesaRESTinterfacebasedonstandardHTTPverbs—GET,PUT,POST,andDELETE.YoucanalsouseSDKwrapperlibraries,theAWSCLI,andtheAWSManagementConsoletoworkwithAmazonS3.

AmazonS3ishighlydurableandhighlyavailable,designedfor11ninesofdurabilityofobjectsinagivenyearandfourninesofavailability.

AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyfornewobjectPUTs.

AmazonS3objectsareprivatebydefault,accessibleonlytotheowner.Objectscanbemarkedpublicreadabletomakethemaccessibleontheweb.ControlledaccessmaybeprovidedtoothersusingACLsandAWSIAMandAmazonS3bucketpolicies.

StaticwebsitescanbehostedinanAmazonS3bucket.

Prefixesanddelimitersmaybeusedinkeynamestoorganizeandnavigatedatahierarchicallymuchlikeatraditionalfilesystem.

AmazonS3offersseveralstorageclassessuitedtodifferentusecases:Standardisdesignedforgeneral-purposedataneedinghighperformanceandlowlatency.Standard-IAisforlessfrequentlyaccesseddata.RRSofferslowerredundancyatlowercostforeasilyreproduceddata.AmazonGlacierofferslow-costdurablestorageforarchiveandlong-termbackupsthatcanarerarelyaccessedandcanacceptathree-tofive-hourretrievaltime.

Objectlifecyclemanagementpoliciescanbeusedtoautomaticallymovedatabetween

storageclassesbasedontime.

AmazonS3datacanbeencryptedusingserver-sideorclient-sideencryption,andencryptionkeyscanbemanagedwithAmazonKMS.

VersioningandMFADeletecanbeusedtoprotectagainstaccidentaldeletion.

Cross-regionreplicationcanbeusedtoautomaticallycopynewobjectsfromasourcebucketinoneregiontoatargetbucketinanotherregion.

Pre-signedURLsgranttime-limitedpermissiontodownloadobjectsandcanbeusedtoprotectmediaandotherwebcontentfromunauthorized“webscraping.”

Multipartuploadcanbeusedtouploadlargeobjects,andRangeGETscanbeusedtodownloadportionsofanAmazonS3objectorAmazonGlacierarchive.

Serveraccesslogscanbeenabledonabuckettotrackrequestor,object,action,andresponse.

AmazonS3eventnotificationscanbeusedtosendanAmazonSQSorAmazonSNSmessageortotriggeranAWSLambdafunctionwhenanobjectiscreatedordeleted.

AmazonGlaciercanbeusedasastandaloneserviceorasastorageclassinAmazonS3.

AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Youcanhaveupto1,000vaults,andeachvaultcanstoreanunlimitednumberofarchives.

AmazonGlaciervaultscanbelockedforcompliancepurposes.

ExamEssentialsKnowwhatamazons3isandwhatitiscommonlyusedfor.AmazonS3issecure,durable,andhighlyscalablecloudstoragethatcanbeusedtostoreanunlimitedamountofdatainalmostanyformatusingasimplewebservicesinterface.Commonusecasesincludebackupandarchive,contentstorageanddistribution,bigdataanalytics,staticwebsitehosting,cloud-nativeapplicationhosting,anddisasterrecovery.

Understandhowobjectstoragediffersfromblockandfilestorage.AmazonS3cloudobjectstoragemanagesdataattheapplicationlevelasobjectsusingaRESTAPIbuiltonHTTP.BlockstoragemanagesdataattheoperatingsystemlevelasnumberedaddressableblocksusingprotocolssuchasSCSIorFibreChannel.FilestoragemanagesdataassharedfilesattheoperatingsystemlevelusingaprotocolsuchasCIFSorNFS.

UnderstandthebasicsofAmazonS3.AmazonS3storesdatainobjectsthatcontaindataandmetadata.Objectsareidentifiedbyauser-definedkeyandarestoredinasimpleflatfoldercalledabucket.InterfacesincludeanativeRESTinterface,SDKsformanylanguages,anAWSCLI,andtheAWSManagementConsole.

Knowhowtocreateabucket;howtoupload,download,anddeleteobjects;howtomakeobjectspublic;andhowtoopenanobjectURL.

Understandthedurability,availability,anddataconsistencymodelofAmazonS3.AmazonS3standardstorageisdesignedfor11ninesdurabilityandfourninesavailabilityofobjectsoverayear.Otherstorageclassesdiffer.AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyforPUTstonewobjects.

KnowhowtoenablestaticwebsitehostingonAmazonS3.TocreateastaticwebsiteonAmazonS3,youmustcreateabucketwiththewebsitehostname,uploadyourstaticcontentandmakeitpublic,enablestaticwebsitehostingonthebucket,andindicatetheindexanderrorpageobjects.

KnowhowtoprotectyourdataonAmazonS3.EncryptdatainflightusingHTTPSandatrestusingSSEorclient-sideencryption.Enableversioningtokeepmultipleversionsofanobjectinabucket.EnableMFADeletetoprotectagainstaccidentaldeletion.UseACLsAmazonS3bucketpoliciesandAWSIAMpoliciesforaccesscontrol.Usepre-signedURLsfortime-limiteddownloadaccess.Usecross-regionreplicationtoautomaticallyreplicatedatatoanotherregion.

KnowtheusecaseforeachoftheAmazonS3storageclasses.Standardisforgeneralpurposedatathatneedshighdurability,highperformance,andlowlatencyaccess.Standard-IAisfordatathatislessfrequentlyaccessed,butthatneedsthesameperformanceandavailabilitywhenaccessed.RRSofferslowerdurabilityatlowercostforeasilyreplicateddata.AmazonGlacierisforstoringrarelyaccessedarchivaldataatlowestcost,whenthree-tofive-hourretrievaltimeisacceptable.

Knowhowtouselifecycleconfigurationrules.LifecyclerulescanbeconfiguredintheAWSManagementConsoleortheAPIs.Lifecycleconfigurationrulesdefineactionstotransitionobjectsfromonestorageclasstoanotherbasedontime.

KnowhowtouseAmazonS3eventnotifications.Eventnotificationsaresetatthe

bucketlevelandcantriggeramessageinAmazonSNSorAmazonSQSoranactioninAWSLambdainresponsetoanuploadoradeleteofanobject.

Knowthebasicsofamazonglacierasastandaloneservice.Dataisstoredinencryptedarchivesthatcanbeaslargeas40TB.ArchivestypicallycontainTARorZIPfiles.Vaultsarecontainersforarchives,andvaultscanbelockedforcompliance.

ExercisesForassistanceincompletingthefollowingexercises,referencethefollowingdocumentation:

GettingstartedwithAmazonS3:http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html

Settingupastaticwebsite:http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html

Usingversioning:http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html

ObjectLifecycleManagement:http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

EXERCISE2.1

CreateanAmazonSimpleStorageService(AmazonS3)BucketInthisexercise,youwillcreateanewAmazonS3bucketinyourselectedregion.Youwillusethisbucketinthefollowingexercises.

1. LogintotheAWSManagementConsole.

2. Chooseanappropriateregion,suchasUSWest(Oregon).

3. NavigatetotheAmazonS3console.NoticethattheregionindicatornowsaysGlobal.RememberthatAmazonS3bucketsformaglobalnamespace,eventhougheachbucketiscreatedinaspecificregion.

4. Startthecreatebucketprocess.

5. WhenpromptedforBucketName,usemynewbucket.

6. Choosearegion,suchasUSWest(Oregon).

7. Trytocreatethebucket.Youalmostsurelywillgetamessagethattherequestedbucketnameisnotavailable.Rememberthatabucketnamemustbeuniqueglobally.

8. Tryagainusingyoursurnamefollowedbyahyphenandthentoday’sdateinasix-digitformatasthebucketname(abucketnamethatisnotlikelytoexistalready).

YoushouldnowhaveanewAmazonS3bucket.

EXERCISE2.2

Upload,MakePublic,Rename,andDeleteObjectsinYourBucket

Inthisexercise,youwilluploadanewobjecttoyourbucket.Youwillthenmakethisobjectpublicandviewtheobjectinyourbrowser.Youwillthenrenametheobjectandfinallydeleteitfromthebucket.

http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html

http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html

http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html

http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

UploadanObject1. LoadyournewbucketintheAmazonS3console.

2. SelectUpload,thenAddFiles.

3. LocateafileonyourPCthatyouareokaywithuploadingtoAmazonS3andmakingpublictotheInternet.(Wesuggestusinganon-personalimagefileforthepurposesofthisexercise.)

4. Selectasuitablefile,thenStartUpload.YouwillseethestatusofyourfileintheTransferssection.

5. Afteryourfileisuploaded,thestatusshouldchangetoDone.

ThefileyouuploadedisnowstoredasanAmazonS3objectandshouldbenowlistedinthecontentsofyourbucket.

OpentheAmazonS3URL6. Nowopenthepropertiesfortheobject.Thepropertiesshouldincludebucket,name,

andlink.

7. CopytheAmazonS3URLfortheobject.

8. PastetheURLintheaddressbarofanewbrowserwindowortab.

YoushouldgetamessagewithanXMLerrorcodeAccessDenied.EventhoughtheobjecthasaURL,itisprivatebydefault,soitcannotbeaccessedbyawebbrowser.

MaketheObjectPublic9. GobacktotheAmazonS3ConsoleandselectMakePublic.(Equivalently,youcan

changetheobject’spermissionsandaddgranteeEveryoneandpermissionsOpen/Download.)

10. CopytheAmazonS3URLagainandtrytoopenitinabrowserortab.Yourpublicimagefileshouldnowdisplayinthebrowserorbrowsertab.

RenameObject11. IntheAmazonS3console,selectRename.

12. Renametheobject,butkeepthesamefileextension.

13. CopythenewAmazonS3URLandtrytoopenitinabrowserortab.Youshouldseethesameimagefile.

DeletetheObject14. IntheAmazonS3console,selectDelete.SelectOKwhenpromptedifyouwantto

deletetheobject.

15. Theobjecthasnowbeendeleted.

16. Toverify,trytoreloadthedeletedobject’sAmazonS3URL.

YoushouldonceagaingettheXMLAccessDeniederrormessage.

EXERCISE2.3

EnableVersionControl

Inthisexercise,youwillenableversioncontrolonyournewlycreatedbucket.

EnableVersioning1. IntheAmazonS3console,loadthepropertiesofyourbucket.Don’topenthebucket.

2. EnableversioninginthepropertiesandselectOKtoverify.Yourbucketnowhasversioningenabled.(Notethatversioningcanbesuspended,butnotturnedoff.)

CreateMultipleVersionsofanObject3. Createatextfilenamedfoo.txtonyourcomputerandwritethewordblueinthe

textfile.

4. Savethetextfiletoalocationofyourchoosing.

5. Uploadthetextfiletoyourbucket.Thiswillbeversion1.

6. Afteryouhaveuploadedthetextfiletoyourbucket,openthecopyonyourlocalcomputerandchangethewordbluetored.Savethetextfilewiththeoriginalfilename.

7. Uploadthemodifiedfiletoyourbucket.

8. SelectShowVersionsontheuploadedobject.

YouwillnowseetwodifferentversionsoftheobjectwithdifferentVersionIDsandpossiblydifferentsizes.NotethatwhenyouselectShowVersion,theAmazonS3URLnowincludestheversionIDinthequerystringaftertheobjectname.

EXERCISE2.4

DeleteanObjectandThenRestoreIt

Inthisexercise,youwilldeleteanobjectinyourAmazonS3bucketandthenrestoreit.

DeleteanObject1. Openthebucketcontainingthetextfileforwhichyounowhavetwoversions.

2. SelectHideVersions.

3. SelectDelete,andthenselectOKtoverify.

4. Yourobjectwillnowbedeleted,andyoucannolongerseetheobject.

5. SelectShowVersions.

BothversionsoftheobjectnowshowtheirversionIDs.

RestoreanObject6. Openyourbucket.

7. SelectShowVersions.

8. Selecttheoldestversionanddownloadtheobject.Notethatthefilenameissimplyfoo.txtwithnoversionindicator.

9. Uploadfoo.txttothesamebucket.

10. SelectHideVersions,andthefilefoo.txtshouldre-appear.

Torestoreaversion,youcopythedesiredversionintothesamebucket.IntheAmazonS3console,thisrequiresadownloadthenre-uploadoftheobject.UsingAPIs,SDKs,orAWSCLI,youcancopyaversiondirectlywithoutdownloadingandre-uploading.

EXERCISE2.5

LifecycleManagementInthisexercise,youwillexplorethevariousoptionsforlifecyclemanagement.

1. SelectyourbucketintheAmazonS3console.

2. UnderProperties,addaLifecycleRule.

3. Explorethevariousoptionstoaddlifecyclerulestoobjectsinthisbucket.Itisrecommendedthatyoudonotimplementanyoftheseoptions,asyoumayincuradditionalcosts.Afteryouhavefinished,clicktheCancelbutton.

Mostlifecyclerulesrequiresomenumberofdaystoexpirebeforethetransitiontakeseffect.Forexample,ittakesaminimumof30daystotransitionfromAmazonS3StandardtoAmazonS3Standard-IA.Thismakesitimpracticaltocreatealifecycleruleandseetheactualresultinanexercise.

EXERCISE2.6

EnableStaticHostingonYourBucketInthisexercise,youwillenablestatichostingonyournewlycreatedbucket.

1. SelectyourbucketintheAmazonS3console.

2. InthePropertiessection,selectEnableWebsiteHosting.

3. Fortheindexdocumentname,enterindex.txt,andfortheerrordocumentname,entererror.txt.

4. Useatexteditortocreatetwotextfilesandsavethemasindex.txtanderror.txt.Intheindex.txtfile,writethephrase“HelloWorld,”andintheerror.txtfile,writethephrase“ErrorPage.”Savebothtextfilesanduploadthemtoyourbucket.

5. Makethetwoobjectspublic.

6. CopytheEndpoint:linkunderStaticWebsiteHostingandpasteitinabrowserwindowortab.Youshouldnowseethephrase"HelloWorld"displayed.

7. Intheaddressbarinyourbrowser,tryaddingaforwardslashfollowedbyamade-upfilename(forexample,/test.html).Youshouldnowseethephrase"ErrorPage"displayed.

8. Tocleanup,deletealloftheobjectsinyourbucketandthendeletethebucketitself.

ReviewQuestions1. InwhatwaysdoesAmazonSimpleStorageService(AmazonS3)objectstoragedifferfromblockandfilestorage?(Choose2answers)

A. AmazonS3storesdatainfixedsizeblocks.

B. Objectsareidentifiedbyanumberedaddress.

C. Objectscanbeanysize.

D. Objectscontainbothdataandmetadata.

E. Objectsarestoredinbuckets.

2. WhichofthefollowingarenotappropriatesusecasesforAmazonSimpleStorageService(AmazonS3)?(Choose2answers)

A. Storingwebcontent

B. StoringafilesystemmountedtoanAmazonElasticComputeCloud(AmazonEC2)instance

C. Storingbackupsforarelationaldatabase

D. Primarystorageforadatabase

E. Storinglogsforanalytics

3. WhataresomeofthekeycharacteristicsofAmazonSimpleStorageService(AmazonS3)?(Choose3answers)

A. AllobjectshaveaURL.

B. AmazonS3canstoreunlimitedamountsofdata.

C. Objectsareworld-readablebydefault.

D. AmazonS3usesaREST(RepresentationalStateTransfer)ApplicationProgramInterface(API).

E. Youmustpre-allocatethestorageinabucket.

4. WhichfeaturescanbeusedtorestrictaccesstoAmazonSimpleStorageService(AmazonS3)data?(Choose3answers)

A. Enablestaticwebsitehostingonthebucket.

B. Createapre-signedURLforanobject.

C. UseanAmazonS3AccessControlList(ACL)onabucketorobject.

D. Usealifecyclepolicy.

E. UseanAmazonS3bucketpolicy.

5. YourapplicationstorescriticaldatainAmazonSimpleStorageService(AmazonS3),whichmustbeprotectedagainstinadvertentorintentionaldeletion.Howcanthisdatabeprotected?(Choose2answers)

A. Usecross-regionreplicationtocopydatatoanotherbucketautomatically.

B. Setavaultlock.

C. Enableversioningonthebucket.

D. UsealifecyclepolicytomigratedatatoAmazonGlacier.

E. EnableMFADeleteonthebucket.

6. YourcompanystoresdocumentsinAmazonSimpleStorageService(AmazonS3),butitwantstominimizecost.Mostdocumentsareusedactivelyforonlyaboutamonth,thenmuchlessfrequently.However,alldataneedstobeavailablewithinminuteswhenrequested.Howcanyoumeettheserequirements?

A. MigratethedatatoAmazonS3ReducedRedundancyStorage(RRS)after30days.

B. MigratethedatatoAmazonGlacierafter30days.

C. MigratethedatatoAmazonS3Standard–InfrequentAccess(IA)after30days.

D. Turnonversioning,thenmigratetheolderversiontoAmazonGlacier.

7. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?

A. Dataisautomaticallyreplicatedtootherregions.

B. Dataisautomaticallyreplicatedwithinaregion.

C. Dataisreplicatedonlyifversioningisenabledonthebucket.

D. Dataisautomaticallybackedupontapeandrestoredifneeded.

8. BasedonthefollowingAmazonSimpleStorageService(AmazonS3)URL,whichoneofthefollowingstatementsiscorrect?

https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc

A. Theobject“myfile.doc”isstoredinthefolder“folderx”inthebucket“bucket1.abc.com.”

B. Theobject“myfile.doc”isstoredinthebucket“bucket1.abc.com.”

C. Theobject“folderx/myfile.doc”isstoredinthebucket“bucket1.abc.com.”

D. Theobject“myfile.doc”isstoredinthebucket“bucket1.”

9. TohavearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere,youshoulddowhat?

A. Enableversioningonthebucket.

B. Enablewebsitehostingonthebucket.

C. Enableserveraccesslogsonthebucket.

D. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.

E. EnableAmazonCloudWatchlogs.

10. Whataresomereasonstoenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)

https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc

A. Youwantabackupofyourdataincaseofaccidentaldeletion.

B. Youhaveasetofusersorcustomerswhocanaccessthesecondbucketwithlowerlatency.

C. Forcompliancereasons,youneedtostoredatainalocationatleast300milesawayfromthefirstregion.

D. Yourdataneedsatleastfiveninesofdurability.

11. Yourcompanyrequiresthatalldatasenttoexternalstoragebeencryptedbeforebeingsent.WhichAmazonSimpleStorageService(AmazonS3)encryptionsolutionwillmeetthisrequirement?

A. Server-SideEncryption(SSE)withAWS-managedkeys(SSE-S3)

B. SSEwithcustomer-providedkeys(SSE-C)

C. Client-sideencryptionwithcustomer-managedkeys

D. Server-sideencryptionwithAWSKeyManagementService(AWSKMS)keys(SSE-KMS)

12. YouhaveapopularwebapplicationthataccessesdatastoredinanAmazonSimpleStorageService(AmazonS3)bucket.Youexpecttheaccesstobeveryread-intensive,withexpectedrequestratesofupto500GETspersecondfrommanyclients.HowcanyouincreasetheperformanceandscalabilityofAmazonS3inthiscase?

A. Turnoncross-regionreplicationtoensurethatdataisservedfrommultiplelocations.

B. Ensurerandomnessinthenamespacebyincludingahashprefixtokeynames.

C. Turnonserveraccesslogging.

D. Ensurethatkeynamesaresequentialtoenablepre-fetch.

13. Whatisneededbeforeyoucanenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)

A. Enableversioningonthebucket.

B. Enablealifecycleruletomigratedatatothesecondregion.

C. Enablestaticwebsitehosting.

D. CreateanAWSIdentityandAccessManagement(IAM)policytoallowAmazonS3toreplicateobjectsonyourbehalf.

14. Yourcompanyhas100TBoffinancialrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanone-yearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcostefficientmanner?

A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumesattachedtot2.microinstances.

B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyearanddeletetheobject

aftersevenyears.

C. StorethedatainAmazonDynamoDBandrundailyscripttodeletedataolderthansevenyears.

D. StorethedatainAmazonElasticMapReduce(AmazonEMR).

15. AmazonSimpleStorageService(S3)bucketpoliciescanrestrictaccesstoanAmazonS3bucketandobjectsbywhichofthefollowing?(Choose3answers)

A. Companyname

B. IPaddressrange

C. AWSaccount

D. Countryoforigin

E. Objectswithaspecificprefix

16. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?(Choose2answers)

A. GETafterPUTofanewobject

B. GETorLISTafteraDELETE

C. GETafteroverwritePUT(PUTtoanexistingkey)

D. DELETEafterPUTofnewobject

17. WhatmustbedonetohostastaticwebsiteinanAmazonSimpleStorageService(AmazonS3)bucket?(Choose3answers)

A. Configurethebucketforstatichostingandspecifyanindexanderrordocument.

B. Createabucketwiththesamenameasthewebsite.

C. EnableFileTransferProtocol(FTP)onthebucket.

D. Maketheobjectsinthebucketworld-readable.

E. EnableHTTPonthebucket.

18. YouhavevaluablemediafileshostedonAWSandwantthemtobeservedonlytoauthenticatedusersofyourwebapplication.Youareconcernedthatyourcontentcouldbestolenanddistributedforfree.Howcanyouprotectyourcontent?

A. Usestaticwebhosting.

B. Generatepre-signedURLsforcontentinthewebapplication.

C. UseAWSIdentityandAccessManagement(IAM)policiestorestrictaccess.

D. Useloggingtotrackyourcontent.

19. AmazonGlacieriswell-suitedtodatathatiswhichofthefollowing?(Choose2answers)

A. Isinfrequentlyorrarelyaccessed

B. Mustbeimmediatelyavailablewhenneeded

C. Isavailableafterathree-tofive-hourrestoreperiod

D. Isfrequentlyerasedwithin30days

20. WhichstatementsaboutAmazonGlacieraretrue?(Choose3answers)

A. AmazonGlacierstoresdatainobjectsthatliveinarchives.

B. AmazonGlacierarchivesareidentifiedbyuser-specifiedkeynames.

C. AmazonGlacierarchivestakethreetofivehourstorestore.

D. AmazonGlaciervaultscanbelocked.

E. AmazonGlaciercanbeusedasastandaloneserviceandasanAmazonS3storageclass.

Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems




Planninganddesign



2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.


ConfigureanAmazonMachineImage(AMI)

Configureservicestosupportcompliancerequirementsinthecloud

LaunchinstancesacrosstheAWSglobalinfrastructure




Disasterrecovery

AmazonEB

IntroductionInthischapter,youlearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:

HowinstancetypesandAmazonMachineImages(AMIs)definethecapabilitiesofinstancesyoulaunchonthecloud

Howtosecurelyaccessyourinstancesrunningonthecloud

Howtoprotectyourinstanceswithvirtualfirewallscalledsecuritygroups

Howtohaveyourinstancesconfigurethemselvesforunattendedlaunch

Howtomonitorandmanageyourinstancesonthecloud

Howtochangethecapabilitiesofanexistinginstance

Thepaymentoptionsavailableforthebestmixofaffordabilityandflexibility

Howtenancyoptionsandplacementgroupsprovideoptionstooptimizecomplianceandperformance

HowinstancestoresdifferfromAmazonEBSvolumesandwhentheyareeffective

WhattypesofvolumesareavailablethroughAmazonEBS

HowtoprotectyourdataonAmazonEBS

AmazonElasticComputeCloud(AmazonEC2)AmazonEC2isAWSprimarywebservicethatprovidesresizablecomputecapacityinthecloud.

ComputeBasicsComputereferstotheamountofcomputationalpowerrequiredtofulfillyourworkload.Ifyourworkloadisverysmall,suchasawebsitethatreceivesfewvisitors,thenyourcomputeneedsareverysmall.Alargeworkload,suchasscreeningtenmillioncompoundsagainstacommoncancertarget,mightrequireagreatdealofcompute.Theamountofcomputeyouneedmightchangedrasticallyovertime.

AmazonEC2allowsyoutoacquirecomputethroughthelaunchingofvirtualserverscalledinstances.Whenyoulaunchaninstance,youcanmakeuseofthecomputeasyouwish,justasyouwouldwithanon-premisesserver.Becauseyouarepayingforthecomputingpoweroftheinstance,youarechargedperhourwhiletheinstanceisrunning.Whenyoustoptheinstance,youarenolongercharged.

TherearetwoconceptsthatarekeytolaunchinginstancesonAWS:(1)theamountofvirtualhardwarededicatedtotheinstanceand(2)thesoftwareloadedontheinstance.Thesetwodimensionsofnewinstancesarecontrolled,respectively,bytheinstancetypeandtheAMI.

InstanceTypesTheinstancetypedefinesthevirtualhardwaresupportinganAmazonEC2instance.Therearedozensofinstancetypesavailable,varyinginthefollowingdimensions:

VirtualCPUs(vCPUs)

Memory

Storage(sizeandtype)

Networkperformance

Instancetypesaregroupedintofamiliesbasedontheratioofthesevaluestoeachother.Forinstance,them4familyprovidesabalanceofcompute,memory,andnetworkresources,anditisagoodchoiceformanyapplications.Withineachfamilythereareseveralchoicesthatscaleuplinearlyinsize.Figure3.1showsthefourinstancesizesinthem4family.NotethattheratioofvCPUstomemoryisconstantasthesizesscalelinearly.Thehourlypriceforeachsizescaleslinearlyaswell.Forexample,anm4.xlargeinstancecoststwiceasmuchasthem4.largeinstance.

FIGURE3.1MemoryandvCPUsforthem4instancefamily

Differentinstancetypefamiliestilttheratiotoaccommodatedifferenttypesofworkloads,buttheyallexhibitthislinearscaleupbehaviorwithinthefamily.Table3.1listssomeofthefamiliesavailable.

TABLE3.1SampleInstanceTypeFamilies

Family

c4 Computeoptimized—Forworkloadsrequiringsignificantprocessing

r3 Memoryoptimized—Formemory-intensiveworkloads

i2 Storageoptimized—ForworkloadsrequiringhighamountsoffastSSDstorage

g2 GPU-basedinstances—Intendedforgraphicsandgeneral-purposeGPUcomputeworkloads

Inresponsetocustomerdemandandtotakeadvantageofnewprocessortechnology,AWSoccasionallyintroducesnewinstancefamilies.ChecktheAWSwebsiteforthecurrentlist.

Anothervariabletoconsiderwhenchoosinganinstancetypeisnetworkperformance.Formostinstancetypes,AWSpublishesarelativemeasureofnetworkperformance:low,moderate,orhigh.Someinstancetypesspecifyanetworkperformanceof10Gbps.The

networkperformanceincreaseswithinafamilyastheinstancetypegrows.

Forworkloadsrequiringgreaternetworkperformance,manyinstancetypessupportenhancednetworking.EnhancednetworkingreducestheimpactofvirtualizationonnetworkperformancebyenablingacapabilitycalledSingleRootI/OVirtualization(SR-IOV).ThisresultsinmorePacketsPerSecond(PPS),lowerlatency,andlessjitter.Atthetimeofthiswriting,thereareinstancetypesthatsupportenhancednetworkingintheC3,C4,D2,I2,M4,andR3families(consulttheAWSdocumentationforacurrentlist).Enablingenhancednetworkingonaninstanceinvolvesensuringthecorrectdriversareinstalledandmodifyinganinstanceattribute.EnhancednetworkingisavailableonlyforinstanceslaunchedinanAmazonVirtualPrivateCloud(AmazonVPC),whichisdiscussedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”

AmazonMachineImages(AMIs)TheAmazonMachineImage(AMI)definestheinitialsoftwarethatwillbeonaninstancewhenitislaunched.AnAMIdefineseveryaspectofthesoftwarestateatinstancelaunch,including:

TheOperatingSystem(OS)anditsconfiguration

Theinitialstateofanypatches

Applicationorsystemsoftware

AllAMIsarebasedonx86OSs,eitherLinuxorWindows.

TherearefoursourcesofAMIs:

PublishedbyAWS—AWSpublishesAMIswithversionsofmanydifferentOSs,bothLinuxandWindows.TheseincludemultipledistributionsofLinux(includingUbuntu,RedHat,andAmazon’sowndistribution)andWindows2008andWindows2012.LaunchinganinstancebasedononeoftheseAMIswillresultinthedefaultOSsettings,similartoinstallinganOSfromthestandardOSISOimage.AswithanyOSinstallation,youshouldimmediatelyapplyallappropriatepatchesuponlaunch.

TheAWSMarketplace—AWSMarketplaceisanonlinestorethathelpscustomersfind,buy,andimmediatelystartusingthesoftwareandservicesthatrunonAmazonEC2.ManyAWSpartnershavemadetheirsoftwareavailableintheAWSMarketplace.Thisprovidestwobenefits:thecustomerdoesnotneedtoinstallthesoftware,andthelicenseagreementisappropriateforthecloud.InstanceslaunchedfromanAWSMarketplaceAMIincurthestandardhourlycostoftheinstancetypeplusanadditionalper-hourchargefortheadditionalsoftware(someopen-sourceAWSMarketplacepackageshavenoadditionalsoftwarecharge).

GeneratedfromExistingInstances—AnAMIcanbecreatedfromanexistingAmazonEC2instance.ThisisaverycommonsourceofAMIs.CustomerslaunchaninstancefromapublishedAMI,andthentheinstanceisconfiguredtomeetallthecustomer’scorporatestandardsforupdates,management,security,andsoon.AnAMIisthengeneratedfromtheconfiguredinstanceandusedtogenerateallinstancesofthatOS.Inthisway,allnewinstancesfollowthecorporatestandardanditismoredifficultforindividualprojectstolaunchnon-conforminginstances.

UploadedVirtualServers—UsingAWSVMImport/Exportservice,customerscancreateimagesfromvariousvirtualizationformats,includingraw,VHD,VMDK,andOVA.ThecurrentlistofsupportedOSs(LinuxandWindows)canbefoundintheAWSdocumentation.ItisincumbentonthecustomerstoremaincompliantwiththelicensingtermsoftheirOSvendor.

SecurelyUsinganInstanceOncelaunched,instancescanbemanagedovertheInternet.AWShasseveralservicesandfeaturestoensurethatthismanagementcanbedonesimplyandsecurely.

AddressinganInstanceThereareseveralwaysthataninstancemaybeaddressedoverthewebuponcreation:

PublicDomainNameSystem(DNS)Name—Whenyoulaunchaninstance,AWScreatesaDNSnamethatcanbeusedtoaccesstheinstance.ThisDNSnameisgeneratedautomaticallyandcannotbespecifiedbythecustomer.ThenamecanbefoundintheDescriptiontaboftheAWSManagementConsoleorviatheCommandLineInterface(CLI)orApplicationProgrammingInterface(API).ThisDNSnamepersistsonlywhiletheinstanceisrunningandcannotbetransferredtoanotherinstance.

PublicIP—AlaunchedinstancemayalsohaveapublicIPaddressassigned.ThisIPaddressisassignedfromtheaddressesreservedbyAWSandcannotbespecified.ThisIPaddressisuniqueontheInternet,persistsonlywhiletheinstanceisrunning,andcannotbetransferredtoanotherinstance.

ElasticIP—AnelasticIPaddressisanaddressuniqueontheInternetthatyoureserveindependentlyandassociatewithanAmazonEC2instance.WhilesimilartoapublicIP,therearesomekeydifferences.ThisIPaddresspersistsuntilthecustomerreleasesitandisnottiedtothelifetimeorstateofanindividualinstance.Becauseitcanbetransferredtoareplacementinstanceintheeventofaninstancefailure,itisapublicaddressthatcanbesharedexternallywithoutcouplingclientstoaparticularinstance.

PrivateIPaddressesandElasticNetworkInterfaces(ENIs)areadditionalmethodsofaddressinginstancesthatareavailableinthecontextofanAmazonVPC.ThesearediscussedinChapter4.

InitialAccessAmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdataandanassociatedprivatekeytodecryptthedata.Thesetwokeystogetherarecalledakeypair.KeypairscanbecreatedthroughtheAWSManagementConsole,CLI,orAPI,orcustomerscanuploadtheirownkeypairs.AWSstoresthepublickey,andtheprivatekeyiskeptbythecustomer.Theprivatekeyisessentialtoacquiringsecureaccesstoaninstanceforthefirsttime.

Storeyourprivatekeyssecurely.WhenAmazonEC2launchesaLinuxinstance,thepublickeyisstoredinthe /.ssh/authorized_keysfileontheinstanceandaninitialuseriscreated.TheinitialusercanvarydependingontheOS.Forexample,theAmazonLinuxdistributioninitialuserisec2-user.Initialaccesstotheinstanceisobtainedbyusingtheec2-userandtheprivatekeytologinviaSSH.Atthispoint,youcanconfigureotherusersandenrollinadirectorysuchasLDAP.

WhenlaunchingaWindowsinstance,AmazonEC2generatesarandompasswordforthelocaladministratoraccountandencryptsthepasswordusingthepublickey.Initialaccesstotheinstanceisobtainedbydecryptingthepasswordwiththeprivatekey,eitherintheconsoleorthroughtheAPI.ThedecryptedpasswordcanbeusedtologintotheinstancewiththelocaladministratoraccountviaRDP.Atthispoint,youcancreateotherlocalusersand/orconnecttoanActiveDirectorydomain.

Itisabestpracticetochangetheinitiallocaladministratorpassword.

VirtualFirewallProtectionAWSallowsyoutocontroltrafficinandoutofyourinstancesthroughvirtualfirewallscalledsecuritygroups.Securitygroupsallowyoutocontroltrafficbasedonport,protocol,andsource/destination.SecuritygroupshavedifferentcapabilitiesdependingonwhethertheyareassociatedwithanAmazonVPCorAmazonEC2-Classic.Table3.2comparesthesedifferentcapabilities(AmazonVPCisdiscussedinChapter4).

TABLE3.2DifferentSecurityGroups

TypeofSecurityGroup Capabilities

EC2-ClassicSecurityGroups Controloutgoinginstancetraffic

VPCSecurityGroups Controloutgoingandincominginstancetraffic

Securitygroupsareassociatedwithinstanceswhentheyarelaunched.Everyinstancemusthaveatleastonesecuritygroupbutcanhavemore.

Asecuritygroupisdefaultdeny;thatis,itdoesnotallowanytrafficthatisnotexplicitlyallowedbyasecuritygrouprule.AruleisdefinedbythethreeattributesinTable3.3.Whenaninstanceisassociatedwithmultiplesecuritygroups,therulesareaggregatedandalltrafficallowedbyeachoftheindividualgroupsisallowed.Forexample,ifsecuritygroupAallowsRDPtrafficfrom72.58.0.0/16andsecuritygroupBallowsHTTPandHTTPStrafficfrom0.0.0.0/0andyourinstanceisassociatedwithbothgroups,thenboththeRDPandHTTP/Strafficwillbeallowedintoyourinstance.

TABLE3.3SecurityGroupRuleAttributes

Attribute Meaning

Port Theportnumberaffectedbythisrule.Forinstance,port80forHTTPtraffic.

Protocol Thecommunicationsstandardforthetrafficaffectedbythisrule.

Source/Destination Identifiestheotherendofthecommunication,thesourceforincomingtrafficrules,orthedestinationforoutgoingtrafficrules.Thesource/destinationcanbedefinedintwoways:CIDRblock—Anx.x.x.x/xstyledefinitionthatdefinesaspecificrangeofIPaddresses.Securitygroup—Includesanyinstancethatisassociatedwiththegivensecuritygroup.ThishelpspreventcouplingsecuritygroupruleswithspecificIPaddresses.

Asecuritygroupisastatefulfirewall;thatis,anoutgoingmessageisrememberedsothattheresponseisallowedthroughthesecuritygroupwithoutanexplicitinboundrulebeingrequired.

Securitygroupsareappliedattheinstancelevel,asopposedtoatraditionalon-premisesfirewallthatprotectsattheperimeter.Theeffectofthisisthatinsteadofhavingtobreachasingleperimetertoaccessalltheinstancesinyoursecuritygroup,anattackerwouldhavetobreachthesecuritygrouprepeatedlyforeachindividualinstance.

TheLifecycleofInstancesAmazonEC2hasseveralfeaturesandservicesthatfacilitatethemanagementofAmazonEC2instancesovertheirentirelifecycle.

LaunchingThereareseveraladditionalservicesthatareusefulwhenlaunchingnewAmazonEC2instances.

BootstrappingAgreatbenefitofthecloudistheabilitytoscriptvirtualhardwaremanagementinamannerthatisnotpossiblewithon-premiseshardware.Inordertorealizethevalueofthis,therehastobesomewaytoconfigureinstancesandinstallapplicationsprogrammaticallywhenaninstanceislaunched.Theprocessofprovidingcodetoberunonaninstanceatlaunchiscalledbootstrapping.

OneoftheparameterswhenaninstanceislaunchedisastringvaluecalledUserData.Thisstringispassedtotheoperatingsystemtobeexecutedaspartofthelaunchprocessthefirsttimetheinstanceisbooted.OnLinuxinstancesthiscanbeshellscript,andonWindowsinstancesthiscanbeabatchstylescriptoraPowerShellscript.Thescriptcanperformtaskssuchas:

ApplyingpatchesandupdatestotheOS

Enrollinginadirectoryservice

Installingapplicationsoftware

Copyingalongerscriptorprogramfromstoragetoberunontheinstance

InstallingCheforPuppetandassigningtheinstancearolesotheconfigurationmanagementsoftwarecanconfiguretheinstance

UserDataisstoredwiththeinstanceandisnotencrypted,soitisimportanttonotincludeanysecretssuchaspasswordsorkeysintheUserData.

VMImport/ExportInadditiontoimportingvirtualinstancesasAMIs,VMImport/ExportenablesyoutoeasilyimportVirtualMachines(VMs)fromyourexistingenvironmentasanAmazonEC2instanceandexportthembacktoyouron-premisesenvironment.YoucanonlyexportpreviouslyimportedAmazonEC2instances.InstanceslaunchedwithinAWSfromAMIscannotbeexported.

InstanceMetadataInstancemetadataisdataaboutyourinstancethatyoucanusetoconfigureormanagetherunninginstance.ThisisuniqueinthatitisamechanismtoobtainAWSpropertiesoftheinstancefromwithintheOSwithoutmakingacalltotheAWSAPI.AnHTTPcalltohttp://169.254.169.254/latest/meta-data/willreturnthetopnodeoftheinstancemetadatatree.Instancemetadataincludesawidevarietyofattributes,including:

Theassociatedsecuritygroups

TheinstanceID

Theinstancetype

TheAMIusedtolaunchtheinstance

Thisonlybeginstoscratchthesurfaceoftheinformationavailableinthemetadata.ConsulttheAWSdocumentationforafulllist.

ManagingInstancesWhenthenumberofinstancesinyouraccountstartstoclimb,itcanbecomedifficulttokeeptrackofthem.TagscanhelpyoumanagenotjustyourAmazonEC2instances,butalsomanyofyourAWSCloudservices.Tagsarekey/valuepairsyoucanassociatewithyourinstanceorotherservice.Tagscanbeusedtoidentifyattributesofaninstancelikeproject,environment(dev,test,andsoon),billabledepartment,andsoforth.Youcanapplyupto10tagsperinstance.Table3.4showssometagsuggestions.

TABLE3.4SampleTags

Key Value

Project TimeEntry

Environment Production

BillingCode 4004

MonitoringInstancesAWSoffersaservicecalledAmazonCloudWatchthatprovidesmonitoringandalertingfor

http://169.254.169.254/latest/meta-data/

AmazonEC2instances,andalsootherAWSinfrastructure.AmazonCloudWatchisdiscussedindetailinChapter5,“ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling.”

ModifyinganInstanceThereareseveralaspectsofaninstancethatcanbemodifiedafterlaunch.

InstanceTypeTheabilitytochangetheinstancetypeofaninstancecontributesgreatlytotheagilityofrunningworkloadsinthecloud.Insteadofcommittingtoacertainhardwareconfigurationmonthsbeforeaworkloadislaunched,theworkloadcanbelaunchedusingabestestimatefortheinstancetype.Ifthecomputeneedsprovetobehigherorlowerthanexpected,theinstancescanbechangedtoadifferentsizemoreappropriatetotheworkload.

InstancescanberesizedusingtheAWSManagementConsole,CLI,orAPI.Toresizeaninstance,setthestatetoStopped.Choosethe“ChangeInstanceType”functioninthetoolofyourchoice(theinstancetypeislistedasanInstanceSettingintheconsoleandanInstanceAttributeintheCLI)andselectthedesiredinstancetype.Restarttheinstanceandtheprocessiscomplete.

SecurityGroupsIfaninstanceisrunninginanAmazonVPC(discussedinChapter4),youcanchangewhichsecuritygroupsareassociatedwithaninstancewhiletheinstanceisrunning.ForinstancesoutsideofanAmazonVPC(calledEC2-Classic),theassociationofthesecuritygroupscannotbechangedafterlaunch.

TerminationProtectionWhenanAmazonEC2instanceisnolongerneeded,thestatecanbesettoTerminatedandtheinstancewillbeshutdownandremovedfromtheAWSinfrastructure.InordertopreventterminationviatheAWSManagementConsole,CLI,orAPI,terminationprotectioncanbeenabledforaninstance.Whileenabled,callstoterminatetheinstancewillfailuntilterminationprotectionisdisabled.Thishelpstopreventaccidentalterminationthroughhumanerror.

NotethatthisjustprotectsfromterminationcallsfromtheAWSManagementConsole,CLI,orAPI.ItdoesnotpreventterminationtriggeredbyanOSshutdowncommand,terminationfromanAutoScalinggroup(discussedinChapter5),orterminationofaSpotInstanceduetoSpotpricechanges(discussedinthenextsection).

OptionsThereareseveraladditionaloptionsavailableinAmazonEC2toimprovecostoptimization,security,andperformancethatareimportanttoknowfortheexam.

PricingOptionsYouarechargedforAmazonEC2instancesforeachhourthattheyareinarunningstate,buttheamountyouarechargedperhourcanvarybasedonthreepricingoptions:On-DemandInstances,ReservedInstances,andSpotInstances.

On-DemandInstancesThepriceperhourforeachinstancetypepublishedontheAWSwebsiterepresentsthepriceforOn-DemandInstances.Thisisthemostflexiblepricingoption,asitrequiresnoup-frontcommitment,andthecustomerhascontroloverwhenthe

instanceislaunchedandwhenitisterminated.Itistheleastcosteffectiveofthethreepricingoptionspercomputehour,butitsflexibilityallowscustomerstosavebyprovisioningavariablelevelofcomputeforunpredictableworkloads.

ReservedInstancesTheReservedInstancepricingoptionenablescustomerstomakecapacityreservationsforpredictableworkloads.ByusingReservedInstancesfortheseworkloads,customerscansaveupto75percentovertheon-demandhourlyrate.Whenpurchasingareservation,thecustomerspecifiestheinstancetypeandAvailabilityZoneforthatReservedInstanceandachievesalowereffectivehourlypriceforthatinstanceforthedurationofthereservation.AnadditionalbenefitisthatcapacityintheAWSdatacentersisreservedforthatcustomer.Therearetwofactorsthatdeterminethecostofthereservation:thetermcommitmentandthepaymentoption.

Thetermcommitmentisthedurationofthereservationandcanbeeitheroneorthreeyears.Thelongerthecommitment,thebiggerthediscount.

TherearethreedifferentpaymentoptionsforReservedInstances:

AllUpfront—Payfortheentirereservationupfront.Thereisnomonthlychargeforthecustomerduringtheterm.

PartialUpfront—Payaportionofthereservationchargeupfrontandtherestinmonthlyinstallmentsforthedurationoftheterm.

NoUpfront—Paytheentirereservationchargeinmonthlyinstallmentsforthedurationoftheterm.

Theamountofthediscountisgreaterthemorethecustomerpaysupfront.

Forexample,let’slookattheeffectofanallupfront,three-yearreservationontheeffectivehourlycostofanm4.2xlargeinstance.Thecostofrunningoneinstancecontinuouslyforthreeyears(or26,280hours)atbothpricingoptionsisshowninTable3.5.

TABLE3.5ReservedInstancePricingExample

PricingOption EffectiveHourlyCost TotalThree-YearCost

On-Demand $0.479/hour $0.479/hour*26280hours=$12588.12

Three-YearAllUpfrontReservation

$4694/26280hours=$0.1786/hour

$4694

Savings 63%

Thisexampleusesthepublishedpricesatthetimeofthiswriting.AWShasloweredpricesmanytimestodate,sochecktheAWSwebsiteforcurrentpricinginformation.

Whenyourcomputingneedschange,youcanmodifyyourReservedInstancesandcontinuetobenefitfromyourcapacityreservation.ModificationdoesnotchangetheremainingtermofyourReservedInstances;theirenddatesremainthesame.Thereisnofee,andyoudonot

receiveanynewbillsorinvoices.Modificationisseparatefrompurchasinganddoesnotaffecthowyouuse,purchase,orsellReservedInstances.Youcanmodifyyourwholereservation,orjustasubset,inoneormoreofthefollowingways:

SwitchAvailabilityZoneswithinthesameregion.

ChangebetweenEC2-VPCandEC2-Classic.

Changetheinstancetypewithinthesameinstancefamily(Linuxinstancesonly).

SpotInstancesForworkloadsthatarenottimecriticalandaretolerantofinterruption,SpotInstancesofferthegreatestdiscount.WithSpotInstances,customersspecifythepricetheyarewillingtopayforacertaininstancetype.Whenthecustomer’sbidpriceisabovethecurrentSpotprice,thecustomerwillreceivetherequestedinstance(s).TheseinstanceswilloperatelikeallotherAmazonEC2instances,andthecustomerwillonlypaytheSpotpriceforthehoursthatinstance(s)run.Theinstanceswillrununtil:

Thecustomerterminatesthem.

TheSpotpricegoesabovethecustomer’sbidprice.

ThereisnotenoughunusedcapacitytomeetthedemandforSpotInstances.

IfAmazonEC2needstoterminateaSpotInstance,theinstancewillreceiveaterminationnoticeprovidingatwo-minutewarningpriortoAmazonEC2terminatingtheinstance.

Becauseofthepossibilityofinterruption,SpotInstancesshouldonlybeusedforworkloadstolerantofinterruption.Thiscouldincludeanalytics,financialmodeling,bigdata,mediaencoding,scientificcomputing,andtesting.

ArchitectureswithDifferentPricingModelsFortheexam,it’simportanttoknowhowtotakeadvantageofthedifferentpricingmodelstocreateacost-efficientarchitecture.Suchanarchitecturemayincludedifferentpricingmodelswithinthesameworkload.Forinstance,awebsitethataverages5,000visitsaday,butrampsupto20,000visitsadayduringperiodicpeaks,maypurchasetwoReservedInstancestohandletheaveragetraffic,butdependonOn-DemandInstancestofulfillcomputeneedsduringthepeaktimes.Figure3.2showssuchanarchitecture.

FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances

TenancyOptionsThereareseveraltenancyoptionsforAmazonEC2instancesthatcanhelpcustomersachievesecurityandcompliancegoals.

SharedTenancySharedtenancyisthedefaulttenancymodelforallAmazonEC2instances,regardlessofinstancetype,pricingmodel,andsoforth.Sharedtenancymeansthatasinglehostmachinemayhouseinstancesfromdifferentcustomers.AsAWSdoesnotuseoverprovisioningandfullyisolatesinstancesfromotherinstancesonthesamehost,thisisasecuretenancymodel.

DedicatedInstancesDedicatedInstancesrunonhardwarethat’sdedicatedtoasinglecustomer.AsacustomerrunsmoreDedicatedInstances,moreunderlyinghardwaremaybededicatedtotheiraccount.Otherinstancesintheaccount(thosenotdesignatedasdedicated)willrunonsharedtenancyandwillbeisolatedatthehardwarelevelfromtheDedicatedInstancesintheaccount.

DedicatedHostAnAmazonEC2DedicatedHostisaphysicalserverwithAmazonEC2instancecapacityfullydedicatedtoasinglecustomer’suse.DedicatedHostscanhelpyouaddresslicensingrequirementsandreducecostsbyallowingyoutouseyourexistingserver-boundsoftwarelicenses.Thecustomerhascompletecontroloverwhichspecifichostrunsaninstanceatlaunch.ThisdiffersfromDedicatedInstancesinthataDedicatedInstancecanlaunchonanyhardwarethathasbeendedicatedtotheaccount.

PlacementGroupsAplacementgroupisalogicalgroupingofinstanceswithinasingleAvailabilityZone.Placementgroupsenableapplicationstoparticipateinalow-latency,10Gbpsnetwork.Placementgroupsarerecommendedforapplicationsthatbenefitfromlownetworklatency,highnetworkthroughput,orboth.Rememberthatthisrepresentsnetworkconnectivitybetweeninstances.Tofullyusethisnetworkperformanceforyourplacementgroup,chooseaninstancetypethatsupportsenhancednetworkingand10Gbpsnetworkperformance.

InstanceStoresAninstancestore(sometimesreferredtoasephemeralstorage)providestemporaryblock-levelstorageforyourinstance.Thisstorageislocatedondisksthatarephysicallyattachedtothehostcomputer.Aninstancestoreisidealfortemporarystorageofinformationthatchangesfrequently,suchasbuffers,caches,scratchdata,andothertemporarycontent,orfordatathatisreplicatedacrossafleetofinstances,suchasaload-balancedpoolofwebservers.

ThesizeandtypeofinstancestoresavailablewithanAmazonEC2instancedependontheinstancetype.Atthiswriting,storageavailablewithvariousinstancetypesrangesfromnoinstancestoresupto242TBinstancestores.Theinstancetypealsodeterminesthetypeofhardwarefortheinstancestorevolumes.WhilesomeprovideHardDiskDrive(HDD)instancestores,otherinstancetypesuseSolidStateDrives(SSDs)todeliververyhighrandomI/Operformance.

InstancestoresareincludedinthecostofanAmazonEC2instance,sotheyareaverycost-effectivesolutionforappropriateworkloads.Thekeyaspectofinstancestoresisthattheyaretemporary.Dataintheinstancestoreislostwhen:

Theunderlyingdiskdrivefails.

Theinstancestops(thedatawillpersistifaninstancereboots).

Theinstanceterminates.

Therefore,donotrelyoninstancestoresforvaluable,long-termdata.Instead,buildadegreeofredundancyviaRAIDoruseafilesystemthatsupportsredundancyandfaulttolerancesuchasHadoop’sHDFS.BackupthedatatomoredurabledatastoragesolutionssuchasAmazonSimpleStorageService(AmazonS3)orAmazonEBSoftenenoughtomeetrecoverypointobjectives.

AmazonElasticBlockStore(AmazonEBS)Whileinstancestoresareaneconomicalwaytofulfillappropriateworkloads,theirlimitedpersistencemakesthemill-suitedformanyotherworkloads.Forworkloadsrequiringmoredurableblockstorage,AmazonprovidesAmazonEBS.

ElasticBlockStoreBasicsAmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectyoufromcomponentfailure,offeringhighavailabilityanddurability.AmazonEBSvolumesareavailableinavarietyoftypesthatdifferinperformancecharacteristicsandprice.MultipleAmazonEBSvolumescanbeattachedtoasingleAmazonEC2instance,althoughavolumecanonlybeattachedtoasingleinstanceatatime.

TypesofAmazonEBSVolumesAmazonEBSvolumesareavailableinseveraldifferenttypes.Typesvaryinareassuchasunderlyinghardware,performance,andcost.Itisimportanttoknowthepropertiesofthedifferenttypessoyoucanspecifythemostcost-efficienttypethatmeetsaworkload’sperformancedemandsontheexam.

MagneticVolumesMagneticvolumeshavethelowestperformancecharacteristicsofallAmazonEBSvolumetypes.Assuch,theycostthelowestpergigabyte.Theyareanexcellent,cost-effectivesolutionforappropriateworkloads.

AmagneticAmazonEBSvolumecanrangeinsizefrom1GBto1TBandwillaverage100IOPS,buthastheabilitytobursttohundredsofIOPS.Theyarebestsuitedfor:

Workloadswheredataisaccessedinfrequently

Sequentialreads

Situationswherelow-coststorageisarequirement

Magneticvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.

General-PurposeSSDGeneral-purposeSSDvolumesoffercost-effectivestoragethatisidealforabroadrangeofworkloads.Theydeliverstrongperformanceatamoderatepricepointthatissuitableforawiderangeofworkloads.

Ageneral-purposeSSDvolumecanrangeinsizefrom1GBto16TBandprovidesabaselineperformanceofthreeIOPSpergigabyteprovisioned,cappingat10,000IOPS.Forinstance,ifyouprovisiona1TBvolume,youcanexpectabaselineperformanceof3,000IOPS.A5TBvolumewillnotprovidea15,000IOPSbaseline,asitwouldhitthecapat10,000IOPS.

General-purposeSSDvolumesunder1TBalsofeaturetheabilitytobursttoupto3,000

IOPSforextendedperiodsoftime.Forinstance,ifyouhavea500GBvolumeyoucanexpectabaselineof1,500IOPS.WheneveryouarenotusingtheseIOPS,theyareaccumulatedasI/Ocredits.Whenyourvolumethenhasheavytraffic,itwillusetheI/Ocreditsatarateofupto3,000IOPSuntiltheyaredepleted.Atthatpoint,yourperformancerevertsto1,500IOPS.At1TB,thebaselineperformanceofthevolumeisalreadyat3,000IOPS,soburstingbehaviordoesnotapply.

General-purposeSSDvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.Theyaresuitedforawiderangeofworkloadswheretheveryhighestdiskperformanceisnotcritical,suchas:

Systembootvolumes

Small-tomedium-sizeddatabases

Developmentandtestenvironments

ProvisionedIOPSSSDProvisionedIOPSSSDvolumesaredesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloadsthataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.WhiletheyarethemostexpensiveAmazonEBSvolumetypepergigabyte,theyprovidethehighestperformanceofanyAmazonEBSvolumetypeinapredictablemanner.

AProvisionedIOPSSSDvolumecanrangeinsizefrom4GBto16TB.WhenyouprovisionaProvisionedIOPSSSDvolume,youspecifynotjustthesize,butalsothedesirednumberofIOPS,uptothelowerofthemaximumof30timesthenumberofGBofthevolume,or20,000IOPS.YoucanstripemultiplevolumestogetherinaRAID0configurationforlargersizeandgreaterperformance.AmazonEBSdeliverswithin10percentoftheprovisionedIOPSperformance99.9percentofthetimeoveragivenyear.

PricingisbasedonthesizeofthevolumeandtheamountofIOPSreserved.Thecostpergigabyteisslightlymorethanthatofgeneral-purposeSSDvolumesandisappliedbasedonthesizeofthevolume,nottheamountofthevolumeusedtostoredata.AnadditionalmonthlyfeeisappliedbasedonthenumberofIOPSprovisioned,whethertheyareconsumedornot.

ProvisionedIOPSSSDvolumesprovidepredictable,highperformanceandarewellsuitedfor:

CriticalbusinessapplicationsthatrequiresustainedIOPSperformance

Largedatabaseworkloads

Table3.6comparestheseAmazonEBSvolumetypes.

TABLE3.6EBSVolumeTypeComparison

Characteristic General-PurposeSSD ProvisionedIOPSSSD Magnetic

Usecases Systembootvolumes

Virtualdesktops

Small-to-mediumsizeddatabases

Developmentandtestenvironments

CriticalbusinessapplicationsthatrequiresustainedIOPSperformanceormorethan10,000IOPSor160MBofthroughputpervolume

Largedatabaseworkloads

Coldworkloadswheredataisinfrequentlyaccessed

Scenarioswheretheloweststoragecostisimportant

Volumesize 1GiB–16TiB 4GiB–16TiB 1GiB–1TiB

Maximumthroughput

160MB 320MB 40–90MB

IOPSperformance

Baselineperformanceof3IOPS/GiB(upto10,000IOPS)withtheabilitytoburstto3,000IOPSforvolumesunder1,000GiB

Consistentlyperformsatprovisionedlevel,upto20,000IOPSmaximum

Averages100IOPS,withtheabilitytobursttohundredsofIOPS

Atthetimeofthiswriting,AWSreleasedtwonewHDDvolumetypes:Throughput-OptimizedHDDandColdHDD.Overtime,itisexpectedthatthesenewtypeswilleclipsethecurrentmagneticvolumetype,fulfillingtheneedsofanyworkloadrequiringHDDperformance.

Throughput-OptimizedHDDvolumesarelow-costHDDvolumesdesignedforfrequent-access,throughput-intensiveworkloadssuchasbigdata,datawarehouses,andlogprocessing.Volumescanbeupto16TBwithamaximumIOPSof500andmaximumthroughputof500MB/s.Thesevolumesaresignificantlylessexpensivethangeneral-purposeSSDvolumes.

ColdHDDvolumesaredesignedforlessfrequentlyaccessedworkloads,suchascolderdatarequiringfewerscansperday.Volumescanbeupto16TBwithamaximumIOPSof250andmaximumthroughputof250MB/s.ThesevolumesaresignificantlylessexpensivethanThroughput-OptimizedHDDvolumes.

AmazonEBS-OptimizedInstancesWhenusinganyvolumetypeotherthanmagneticandAmazonEBSI/Oisofconsequence,itisimportanttouseAmazonEBS-optimizedinstancestoensurethattheAmazonEC2instanceispreparedtotakeadvantageoftheI/OoftheAmazonEBSvolume.AnAmazon

EBS-optimizedinstanceusesanoptimizedconfigurationstackandprovidesadditional,dedicatedcapacityforAmazonEBSI/O.ThisoptimizationprovidesthebestperformanceforyourAmazonEBSvolumesbyminimizingcontentionbetweenAmazonEBSI/Oandothertrafficfromyourinstance.WhenyouselectAmazonEBS-optimizedforaninstance,youpayanadditionalhourlychargeforthatinstance.ChecktheAWSdocumentationtoconfirmwhichinstancetypesareavailableasAmazonEBS-optimizedinstance.

ProtectingDataOverthelifecycleofanAmazonEBSvolume,thereareseveralpracticesandservicesthatyoushouldknowaboutwhentakingtheexam.

Backup/Recovery(Snapshots)YoucanbackupthedataonyourAmazonEBSvolumes,regardlessofvolumetype,bytakingpoint-in-timesnapshots.Snapshotsareincrementalbackups,whichmeansthatonlytheblocksonthedevicethathavechangedsinceyourmostrecentsnapshotaresaved.

TakingSnapshotsYoucantakesnapshotsinmanyways:

ThroughtheAWSManagementConsole

ThroughtheCLI

ThroughtheAPI

Bysettingupascheduleofregularsnapshots

DataforthesnapshotisstoredusingAmazonS3technology.Theactionoftakingasnapshotisfree.Youpayonlythestoragecostsforthesnapshotdata.

Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.

It’simportanttoknowthatwhilesnapshotsarestoredusingAmazonS3technology,theyarestoredinAWS-controlledstorageandnotinyouraccount’sAmazonS3buckets.ThismeansyoucannotmanipulatethemlikeotherAmazonS3objects.Rather,youmustusetheAmazonEBSsnapshotfeaturestomanagethem.Snapshotsareconstrainedtotheregioninwhichtheyarecreated,meaningyoucanusethemtocreatenewvolumesonlyinthesameregion.Ifyouneedtorestoreasnapshotinadifferentregion,youcancopyasnapshottoanotherregion.

CreatingaVolumefromaSnapshotTouseasnapshot,youcreateanewAmazonEBSvolumefromthesnapshot.Whenyoudothis,thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.Becauseofthis,itisabestpracticetoinitializeavolumecreatedfromasnapshotbyaccessingalltheblocksinthevolume.

SnapshotscanalsobeusedtoincreasethesizeofanAmazonEBSvolume.ToincreasethesizeofanAmazonEBSvolume,takeasnapshotofthevolume,thencreateanewvolumeofthedesiredsizefromthesnapshot.Replacetheoriginalvolumewiththenewvolume.

RecoveringVolumesBecauseAmazonEBSvolumespersistbeyondthelifetimeofaninstance,itispossibletorecoverdataifaninstancefails.IfanAmazonEBS-backedinstancefailsandthereisdataonthebootdrive,itisrelativelystraightforwardtodetachthevolumefromtheinstance.UnlesstheDeleteOnTerminationflagforthevolumehasbeensettofalse,thevolumeshouldbedetachedbeforetheinstanceisterminated.Thevolumecanthenbeattachedasadatavolumetoanotherinstanceandthedatareadandrecovered.

EncryptionOptionsManyworkloadshaverequirementsthatdatabeencryptedatrest,eitherbecauseofcomplianceregulationsorinternalcorporatestandards.AmazonEBSoffersnativeencryptiononallvolumetypes.

WhenyoulaunchanencryptedAmazonEBSvolume,AmazonusestheAWSKeyManagementService(KMS)tohandlekeymanagement.Anewmasterkeywillbecreatedunlessyouselectamasterkeythatyoucreatedseparatelyintheservice.Yourdataandassociatedkeysareencryptedusingtheindustry-standardAES-256algorithm.TheencryptionoccursontheserversthathostAmazonEC2instances,sothedataisactuallyencryptedintransitbetweenthehostandthestoragemediaandalsoonthemedia.(ConsulttheAWSdocumentationforalistofinstancetypesthatsupportAmazonEBSencryption.)Encryptionistransparent,soalldataaccessisthesameasunencryptedvolumes,andyoucanexpectthesameIOPSperformanceonencryptedvolumesasyouwouldwithunencryptedvolumes,withaminimaleffectonlatency.Snapshotsthataretakenfromencryptedvolumesareautomaticallyencrypted,asarevolumesthatarecreatedfromencryptedsnapshots.

SummaryComputeistheamountofcomputationalpowerrequiredtofulfillyourworkload.AmazonEC2istheprimaryserviceforprovidingcomputetocustomers.

Theinstancetypedefinesthevirtualhardwaresupportingtheinstance.AvailableinstancetypesvaryinvCPUs,memory,storage,andnetworkperformancetoaddressnearlyanyworkload.

AnAMIdefinestheinitialsoftwarestateoftheinstance,bothOSandapplications.TherearefoursourcesofAMIs:AWSpublishedgenericOSs,partner-publishedAMIsintheAWSMarketplacewithsoftwarepackagespreinstalled,customer-generatedAMIsfromexistingAmazonEC2instances,anduploadedAMIsfromvirtualservers.

InstancescanbeaddressedbypublicDNSname,publicIPaddress,orelasticIPaddress.ToaccessanewlylaunchedLinuxinstance,usetheprivatehalfofthekeypairtoconnecttotheinstanceviaSSH.ToaccessanewlycreatedWindowsinstance,usetheprivatehalfofthekeypairtodecrypttherandomlyinitializedlocaladministratorpassword.

Networktrafficinandoutofaninstancecanbecontrolledbyavirtualfirewallcalledasecuritygroup.Asecuritygroupallowsrulesthatblocktrafficbasedondirection,port,protocol,andsource/destinationaddress.

BootstrappingallowsyoutorunascripttoinitializeyourinstancewithOSconfigurationsandapplications.Thisfeatureallowsinstancestoconfigurethemselvesuponlaunch.Onceaninstanceislaunched,youcanchangeitsinstancetypeor,forAmazonVPCinstances,thesecuritygroupswithwhichitisassociated.

ThethreepricingoptionsforinstancesareOn-Demand,ReservedInstance,andSpot.On-Demandhasthehighestperhourcost,requiringnoup-frontcommitmentandgivingyoucompletecontroloverthelifetimeoftheinstance.ReservedInstancesrequireacommitmentandprovideareducedoverallcostoverthelifetimeofthereservation.SpotInstancesareidlecomputecapacitythatAWSmakesavailablebasedonbidpricesfromcustomers.Thesavingsontheper-hourcostcanbesignificant,butinstancescanbeshutdownwhenthebidpriceexceedsthecustomer’scurrentbid.

Instancestoresareblockstorageincludedwiththehourlycostoftheinstance.Theamountandtypeofstorageavailablevarieswiththeinstancetype.Instancestoresterminatewhentheassociatedinstanceisstopped,sotheyshouldonlybeusedfortemporarydataorinarchitecturesprovidingredundancysuchasHadoop’sHDFS.

AmazonEBSprovidesdurableblockstorageinseveraltypes.Magnetichasthelowestcostpergigabyteanddeliversmodestperformance.General-purposeSSDiscost-effectivestoragethatcanprovideupto10,000IOPS.ProvisionedIOPSSSDhasthehighestcostpergigabyteandiswellsuitedforI/O-intensiveworkloadssensitivetostorageperformance.SnapshotsareincrementalbackupsofAmazonEBSvolumesstoredinAmazonS3.AmazonEBSvolumescanbeencrypted.

ExamEssentialsKnowthebasicsoflaunchinganAmazonec2instance.Tolaunchaninstance,youmustspecifyanAMI,whichdefinesthesoftwareontheinstanceatlaunch,andaninstancetype,whichdefinesthevirtualhardwaresupportingtheinstance(memory,vCPUs,andsoon).

KnowwhatarchitecturesaresuitedforwhatAmazonec2pricingoptions.SpotInstancesarebestsuitedforworkloadsthatcanaccommodateinterruption.ReservedInstancesarebestforconsistent,long-termcomputeneeds.On-DemandInstancesprovideflexiblecomputetorespondtoscalingneeds.

Knowhowtocombinemultiplepricingoptionsthatresultincostoptimizationandscalability.On-DemandInstancescanbeusedtoscaleupawebapplicationrunningonReservedInstancesinresponsetoatemporarytrafficspike.ForaworkloadwithseveralReservedInstancesreadingfromaqueue,it’spossibletouseSpotInstancestoalleviateheavytrafficinacost-effectiveway.Thesearejusttwoofcountlessexampleswhereaworkloadmayusedifferentpricingoptions.

Knowthebenefitsofenhancednetworking.EnhancednetworkingenablesyoutogetsignificantlyhigherPPSperformance,lowernetworkjitter,andlowerlatencies.

Knowthecapabilitiesofvmimport/export.VMImport/ExportallowsyoutoimportexistingVMstoAWSasAmazonEC2instancesorAMIs.AmazonEC2instancesthatwereimportedthroughVMImport/Exportcanalsobeexportedbacktoavirtualenvironment.

Knowthemethodsforaccessinganinstanceovertheinternet.YoucanaccessanAmazonEC2instanceoverthewebviapublicIPaddress,elasticIPaddress,orpublicDNSname.ThereareadditionalwaystoaccessaninstancewithinanAmazonVPC,includingprivateIPaddressesandENIs.

Knowthelifetimeofaninstancestore.Dataonaninstancestoreislostwhentheinstanceisstoppedorterminated.InstancestoredatasurvivesanOSreboot.

KnowthepropertiesoftheAmazonEC2pricingoptions.On-DemandInstancesrequirenoup-frontcommitment,canbelaunchedanytime,andarebilledbythehour.ReservedInstancesrequireanup-frontcommitmentandvaryincostdependingonwhethertheyarepaidallupfront,partiallyupfront,ornotupfront.SpotInstancesarelaunchedwhenyourbidpriceexceedsthecurrentspotprice.SpotInstanceswillrununtilthespotpriceexceedsyourbidprice,inwhichcasetheinstancewillgetatwo-minutewarningandterminate.

Knowwhatdeterminesnetworkperformance.Everyinstancetypeisratedforlow,moderate,high,or10Gbpsnetworkperformance,withlargerinstancetypesgenerallyhavinghigherratings.Additionally,someinstancetypesofferenhancednetworking,whichprovidesadditionalimprovementinnetworkperformance.

Knowwhatinstancemetadataisandhowit’sobtained.MetadataisinformationaboutanAmazonEC2instance,suchasinstanceID,instancetype,andsecuritygroups,thatisavailablefromwithintheinstance.ItcanbeobtainedthroughanHTTPcalltoaspecificIPaddress.

Knowhowsecuritygroupsprotectinstances.SecuritygroupsarevirtualfirewallscontrollingtrafficinandoutofyourAmazonEC2instances.Theyaredenybydefault,andyoucanallowtrafficbyaddingrulesspecifyingtrafficdirection,port,protocol,anddestinationaddress(viaClasslessInter-DomainRouting[CIDR]block).Theyareappliedattheinstancelevel,meaningthattrafficbetweeninstancesinthesamesecuritygroupmustadheretotherulesofthatsecuritygroup.Theyarestateful,meaningthatanoutgoingrulewillallowtheresponsewithoutacorrelatingincomingrule.

Knowhowtointerprettheeffectofsecuritygroups.Whenaninstanceisamemberofmultiplesecuritygroups,theeffectisaunionofalltherulesinallthegroups.

KnowthedifferentAmazonebsvolumetypes,theircharacteristics,andtheirappropriateworkloads.Magneticvolumesprovideanaverageperformanceof100IOPSandcanbeprovisionedupto1TB.Theyaregoodforcoldandinfrequentlyaccesseddata.General-purposeSSDvolumesprovidethreeIOPS/GBupto10,000IOPS,withsmallervolumesabletoburst3,000IOPS.Theycanbeprovisionedupto16TBandareappropriatefordev/testenvironments,smalldatabases,andsoforth.ProvisionedIOPSSSDcanprovideupto20,000consistentIOPSforvolumesupto16TB.Theyarethebestchoiceforworkloadssuchaslargedatabasesexecutingmanytransactions.

KnowhowtoencryptanAmazonebsvolume.Anyvolumetypecanbeencryptedatlaunch.EncryptionisbasedonAWSKMSandistransparenttoapplicationsontheattachedinstances.

Understandtheconceptandprocessofsnapshots.Snapshotsprovideapoint-in-timebackupofanAmazonEBSvolumeandarestoredinAmazonS3.Subsequentsnapshotsareincremental—theyonlystoredeltas.Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.Snapshotsmaybecopiedbetweenregions.

KnowhowAmazonebs-optimizedinstancesaffectAmazonebsperformance.InadditiontotheIOPSthatcontroltheperformanceinandoutoftheAmazonEBSvolume,useAmazonEBS-optimizedinstancestoensureadditional,dedicatedcapacityforAmazonEBSI/O.

ExercisesForassistanceincompletingtheseexercises,refertotheseuserguides:

AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/

concepts.html

AmazonEC2(Windows)—http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html

AmazonEBS—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

EXERCISE3.1

LaunchandConnecttoaLinuxInstanceInthisexercise,youwilllaunchanewLinuxinstance,loginwithSSH,andinstallanysecurityupdates.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheAmazonLinuxAMI.

3. Choosethet2.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. AddatagtotheinstanceofKey:Name,Value:Exercise3.1.

7. CreateanewsecuritygroupcalledCertBook.

8. AddaruletoCertBookallowingSSHaccessfromtheIPaddressofyourworkstation(www.WhatsMyIP.orgisagoodwaytodetermineyourIPaddress).

9. Launchtheinstance.

10. Whenpromptedforakeypair,chooseakeypairyoualreadyhaveorcreateanewoneanddownloadtheprivateportion.

Amazongeneratesakeyname.pemfile,andyouwillneedakeyname.ppkfiletoconnecttotheinstanceviaSSH.Puttygen.exeisoneutilitythatwillcreatea.ppkfilefroma.pemfile.

11. SSHintotheinstanceusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.

12. Fromthecommand-lineprompt,runsudoyumupdate—security-y.

13. ClosetheSSHwindowandterminatetheinstance.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

http://www.WhatsMyIP.org

EXERCISE3.2

LaunchaWindowsInstancewithBootstrappingInthisexercise,youwilllaunchaWindowsinstanceandspecifyaverysimplebootstrapscript.Youwillthenconfirmthatthebootstrapscriptwasexecutedontheinstance.


2. ChoosetheMicrosoftWindowsServer2012BaseAMI.




6. IntheAdvancedDetailssection,enterthefollowingtextasUserData:

<script>

mdc:\temp

</script>


8. UsetheCertBooksecuritygroupfromExercise3.1.


10. UsethekeypairfromExercise3.1.

11. OntheConnectInstanceUI,decrypttheadministratorpasswordandthendownloadtheRDPfiletoattempttoconnecttotheinstance.YourattemptshouldfailbecausetheCertBooksecuritygroupdoesnotallowRDPaccess.

12. OpentheCertBooksecuritygroupandaddarulethatallowsRDPaccessfromyourIPaddress.

13. AttempttoaccesstheinstanceviaRDPagain.

14. OncetheRDPsessionisconnected,openWindowsExplorerandconfirmthatthec:\tempfolderhasbeencreated.

15. EndtheRDPsessionandterminatetheinstance.

EXERCISE3.3

ConfirmThatInstanceStoresAreLostWhenanInstanceIsStoppedInthisexercise,youwillobservethatthedataonanAmazonEC2instancestoreislostwhentheinstanceisstopped.

1. LaunchaninstanceintheAmazonManagementConsole.


3. Choosethem3.mediuminstancetype.




7. UsetheCertBooksecuritygroupasupdatedinExercise3.2.



10. DecrypttheadministratorpasswordlogintotheinstanceviaRDP.

11. OncetheRDPsessionisconnected,openWindowsExplorer.

12. Createanewfoldernamedz:\temp.

13. LogoutoftheRDPsession.

14. Intheconsole,setthestateoftheinstancetoStopped.

15. Oncetheinstanceisstopped,startitagain.

16. LogbackintotheinstanceusingRDP.

17. OpenWindowsExplorerandconfirmthatthez:\tempfolderisgone.

18. EndtheRDPsessionandterminatetheinstance.

EXERCISE3.4

LaunchaSpotInstanceInthisexercise,youwillcreateaSpotInstance.

1. IntheAmazonEC2console,gototheSpotRequestpage.

2. Lookatthepricinghistoryform3.medium,especiallytherecentprice.

3. MakeanoteofthemostrecentpriceandAvailabilityZone.




7. OntheConfigureInstancepage,requestaSpotInstance.

8. LaunchtheinstanceineithertheDefaultVPCorEC2-Classic.(NotetheDefaultVPCwilldefinetheAvailabilityZonefortheinstance.)


10. RequestaSpotInstanceandenterabidafewcentsabovetherecordedSpotprice.

11. Finishlaunchingtheinstance.

12. GobacktotheSpotRequestpage.

Watchyourrequest.Ifyourbidwashighenough,youshouldseeitchangetoActiveandaninstanceIDappear.

13. FindtheinstanceontheinstancespageoftheAmazonEC2console.

NotetheLifecyclefieldintheDescriptionthatsaysSpot.

14. Oncetheinstanceisrunning,terminateit.

EXERCISE3.5

AccessMetadataInthisexercise,youwillaccesstheinstancemetadatafromtheOS.







7. UsetheCertBooksecuritygroup.



10. ConnecttheinstanceviaSSHusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.

11. AttheLinuxcommandprompt,retrievealistoftheavailablemetadatabytyping:

curlhttp://169.254.169.254/latest/meta-data/

12. Toseeavalue,addthenametotheendoftheURL.Forexample,toseethesecuritygroups,type:

curlhttp://169.254.169.254/latest/meta-data/security-groups

13. Tryothervaluesaswell.Namesthatendwitha/indicatealongerlistofsub-values.

14. ClosetheSSHwindowandterminatetheinstance.

http://169.254.169.254/latest/meta-data/

http://169.254.169.254/latest/meta-data/security-groups

EXERCISE3.6

CreateanAmazonEBSVolumeandShowThatItRemainsAftertheInstanceIsTerminatedInthisexercise,youwillseehowanAmazonEBSvolumepersistsbeyondthelifeofaninstance.






6. AddasecondAmazonEBSvolumeofsize50GB.NotethattheRootVolumeissettoDeleteonTermination.


8. UsetheCertBooksecuritygroupfromearlierexercises.


10. FindthetwoAmazonEBSvolumesontheAmazonEBSconsole.NamethembothExercise3.6.

11. Terminatetheinstance.

Noticethatthebootdriveisdestroyed,buttheadditionalAmazonEBSvolumeremainsandnowsaysAvailable.DonotdeletetheAvailablevolume.

EXERCISE3.7

TakeaSnapshotandRestoreThisexerciseguidesyouthroughtakingasnapshotandrestoringitinthreedifferentways.

1. FindthevolumeyoucreatedinExercise3.6intheAmazonEBSconsole.

2. Takeasnapshotofthatvolume.NamethesnapshotExercise3.7.

3. Onthesnapshotconsole,waitforthesnapshottobecompleted.(Asthevolumewasempty,thisshouldbeveryquick.)

4. OnthesnapshotpageintheAWSManagementConsole,choosethenewsnapshotandselectCreateVolume.

5. Createthevolumewithallthedefaults.

6. LocatethesnapshotagainandagainchooseCreateVolume,settingthesizeofthenewvolumeto100GB(takingasnapshotandrestoringthesnapshottoanew,largervolumeishowyouaddresstheproblemofincreasingthesizeofanexistingvolume).LocatethesnapshotagainandchooseCopy.Copythesnapshottoanotherregion.MakethedescriptionExercise3.7.

7. Gototheotherregionandwaitforthesnapshottobecomeavailable.

8. Createavolumefromthesnapshotinthenewregion.ThisishowyoushareanAmazonEBSvolumebetweenregions;thatis,bytakingasnapshotandcopyingthesnapshot.

9. Deleteallfourvolumes.

EXERCISE3.8

LaunchanEncryptedVolumeInthisexercise,youwilllaunchanAmazonEC2instancewithanencryptedAmazonEBSvolumeandstoresomedataonittoconfirmthattheencryptionistransparenttotheinstanceitself.



3. Choosethem3.mediuminstancetype.



6. Onthestoragepage,adda50GBencryptedAmazonEBSvolume.


8. UsetheCertBooksecuritygroupasupdatedinExercise3.2.


10. ChoosethekeypairfromExercise3.1.

11. DecrypttheadministratorpasswordandlogintotheinstanceusingRDP.

12. OncetheRDPsessionisconnected,openNotepad.

13. TypesomerandominformationintoNotepad,saveitatd:\testfile.txt,andthencloseNotepad.

14. Findd:\testfile.txtinWindowsExplorerandopenitwithNotepad.ConfirmthatthedataisnotencryptedinNotepad.

15. Logout.

16. Terminatetheinstance.

EXERCISE3.9

DetachaBootDriveandReattachtoAnotherInstanceInthisexercise,youwillpracticeremovinganAmazonEBSvolumefromastoppeddriveandattachingtoanotherinstancetorecoverthedata.






6. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Source.


8. LaunchtheinstancewiththekeypairfromExercise3.1.

9. LaunchasecondinstanceintheAmazonEC2Console.





14. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Destination.


16. LaunchtheinstancewiththekeypairyouusedinExercise3.1.

17. Oncebothinstancesarerunning,stopthefirstinstance(Source).MakeanoteoftheinstanceID.

18. GototheAmazonEBSpageintheAmazonEC2consoleandfindthevolumeattachedtotheSourceinstanceviatheinstanceID.Detachtheinstance.

19. WhenthevolumebecomesAvailable,attachtheinstancetothesecondinstance(Destination).

20. LogintotheDestinationinstanceviaRDPusingtheadministratoraccount.

21. Openacommandwindow(cmd.exe).

22. Atthecommandprompt,typethefollowingcommands:

C:\Users\Administrator>diskpart

DISKPART>selectdisk1

DISKPART>onlinedisk

DISKPART>exit

C:\Users\Administrator>dire:

ThevolumeremovedfromthestoppedsourcedrivecannowbereadastheE:driveonthedestinationinstance,soitsdatacanberetrieved.

23. Terminatealltheinstancesandensurethevolumesaredeletedintheprocess.

ReviewQuestions1. Yourwebapplicationneedsfourinstancestosupportsteadytrafficnearlyallofthetime.Onthelastdayofeachmonth,thetraffictriples.Whatisacost-effectivewaytohandlethistrafficpattern?

A. Run12ReservedInstancesallofthetime.

B. RunfourOn-DemandInstancesconstantly,thenaddeightmoreOn-DemandInstancesonthelastdayofeachmonth.

C. RunfourReservedInstancesconstantly,thenaddeightOn-DemandInstancesonthelastdayofeachmonth.

D. RunfourOn-DemandInstancesconstantly,thenaddeightReservedInstancesonthelastdayofeachmonth.

2. Yourorder-processingapplicationprocessesordersextractedfromaqueuewithtwoReservedInstancesprocessing10orders/minute.Ifanorderfailsduringprocessing,thenitisreturnedtothequeuewithoutpenalty.Duetoaweekendsale,thequeueshaveseveralhundredordersbackedup.Whilethebackupisnotcatastrophic,youwouldliketodrainitsothatcustomersgettheirconfirmationemailsfaster.Whatisacost-effectivewaytodrainthequeuefororders?

A. Createmorequeues.

B. DeployadditionalSpotInstancestoassistinprocessingtheorders.

C. DeployadditionalReservedInstancestoassistinprocessingtheorders.

D. DeployadditionalOn-DemandInstancestoassistinprocessingtheorders.

3. WhichofthefollowingmustbespecifiedwhenlaunchinganewAmazonElasticComputeCloud(AmazonEC2)Windowsinstance?(Choose2answers)

A. TheAmazonEC2instanceID

B. Passwordfortheadministratoraccount

C. AmazonEC2instancetype

D. AmazonMachineImage(AMI)

4. Youhavepurchasedanm3.xlargeLinuxReservedinstanceinus-east-1a.Inwhichwayscanyoumodifythisreservation?(Choose2answers)

A. Changeitintotwom3.largeinstances.

B. ChangeittoaWindowsinstance.

C. Moveittous-east-1b.

D. Changeittoanm4.xlarge.

5. Yourinstanceisassociatedwithtwosecuritygroups.ThefirstallowsRemoteDesktopProtocol(RDP)accessoverport3389fromClasslessInter-DomainRouting(CIDR)block72.14.0.0/16.ThesecondallowsHTTPaccessoverport80fromCIDRblock

0.0.0.0/0.Whattrafficcanreachyourinstance?

A. RDPandHTTPaccessfromCIDRblock0.0.0.0/0

B. Notrafficisallowed.

C. RDPandHTTPtrafficfrom72.14.0.0/16

D. RDPtrafficoverport3389from72.14.0.0/16andHTTPtrafficoverport80from0.0.00/0

6. Whichofthefollowingarefeaturesofenhancednetworking?(Choose3answers)

A. MorePacketsPerSecond(PPS)

B. Lowerlatency

C. Multiplenetworkinterfaces

D. BorderGatewayProtocol(BGP)routing

E. Lessjitter

7. YouarecreatingaHigh-PerformanceComputing(HPC)clusterandneedverylowlatencyandhighbandwidthbetweeninstances.Whatcombinationofthefollowingwillallowthis?(Choose3answers)

A. Useaninstancetypewith10Gbpsnetworkperformance.

B. Puttheinstancesinaplacementgroup.

C. UseDedicatedInstances.

D. Enableenhancednetworkingontheinstances.

E. UseReservedInstances.

8. WhichAmazonElasticComputeCloud(AmazonEC2)featureensuresthatyourinstanceswillnotshareaphysicalhostwithinstancesfromanyotherAWScustomer?

A. AmazonVirtualPrivateCloud(VPC)

B. Placementgroups

C. DedicatedInstances

D. ReservedInstances

9. Whichofthefollowingaretrueofinstancestores?(Choose2answers)

A. Automaticbackups

B. Dataislostwhentheinstancestops.

C. VeryhighIOPS

D. Chargeisbasedonthetotalamountofstorageprovisioned.

10. WhichofthefollowingarefeaturesofAmazonElasticBlockStore(AmazonEBS)?(Choose2answers)

A. DatastoredonAmazonEBSisautomaticallyreplicatedwithinanAvailabilityZone.

B. AmazonEBSdataisautomaticallybackeduptotape.

C. AmazonEBSvolumescanbeencryptedtransparentlytoworkloadsontheattachedinstance.

D. DataonanAmazonEBSvolumeislostwhentheattachedinstanceisstopped.

11. YouneedtotakeasnapshotofanAmazonElasticBlockStore(AmazonEBS)volume.Howlongwillthevolumebeunavailable?

A. Itdependsontheprovisionedsizeofthevolume.

B. Thevolumewillbeavailableimmediately.

C. Itdependsontheamountofdatastoredonthevolume.

D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.

12. YouarerestoringanAmazonElasticBlockStore(AmazonEBS)volumefromasnapshot.Howlongwillitbebeforethedataisavailable?

A. Itdependsontheprovisionedsizeofthevolume.

B. Thedatawillbeavailableimmediately.

C. Itdependsontheamountofdatastoredonthevolume.

D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.

13. Youhaveaworkloadthatrequires15,000consistentIOPSfordatathatmustbedurable.Whatcombinationofthefollowingstepsdoyouneed?(Choose2answers)

A. UseanAmazonElasticBlockStore(AmazonEBS)-optimizedinstance.

B. Useaninstancestore.

C. UseaProvisionedIOPSSSDvolume.

D. Useamagneticvolume.

14. Whichofthefollowingcanbeaccomplishedthroughbootstrapping?

A. Installthemostcurrentsecurityupdates.

B. Installthecurrentversionoftheapplication.

C. ConfigureOperatingSystem(OS)services.

D. Alloftheabove.

15. HowcanyouconnecttoanewLinuxinstanceusingSSH?

A. Decrypttherootpassword.

B. Usingacertificate

C. Usingtheprivatehalfoftheinstance’skeypair

D. UsingMulti-FactorAuthentication(MFA)

16. VMImport/Exportcanimportexistingvirtualmachinesas:(Choose2answers)

A. AmazonElasticBlockStore(AmazonEBS)volumes

B. AmazonElasticComputeCloud(AmazonEC2)instances

C. AmazonMachineImages(AMIs)

D. Securitygroups

17. WhichofthefollowingcanbeusedtoaddressanAmazonElasticComputeCloud(AmazonEC2)instanceovertheweb?(Choose2answers)

A. Windowsmachinename

B. PublicDNSname

C. AmazonEC2instanceID

D. ElasticIPaddress

18. UsingthecorrectlydecryptedAdministratorpasswordandRDP,youcannotlogintoaWindowsinstanceyoujustlaunched.Whichofthefollowingisapossiblereason?

A. ThereisnosecuritygrouprulethatallowsRDPaccessoverport3389fromyourIPaddress.

B. TheinstanceisaReservedInstance.

C. Theinstanceisnotusingenhancednetworking.

D. TheinstanceisnotanAmazonEBS-optimizedinstance.

19. Youhaveaworkloadthatrequires1TBofdurableblockstorageat1,500IOPSduringnormaluse.EverynightthereisanExtract,Transform,Load(ETL)taskthatrequires3,000IOPSfor15minutes.Whatisthemostappropriatevolumetypeforthisworkload?

A. UseaProvisionedIOPSSSDvolumeat3,000IOPS.

B. Useaninstancestore.

C. Useageneral-purposeSSDvolume.

D. Useamagneticvolume.

20. HowareyoubilledforelasticIPaddresses?

A. Hourlywhentheyareassociatedwithaninstance

B. Hourlywhentheyarenotassociatedwithaninstance

C. Basedonthedatathatflowsthroughthem

D. Basedontheinstancetypetowhichtheyareattached

Chapter4AmazonVirtualPrivateCloud(AmazonVPC)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems




Planninganddesign

Familiaritywith:


Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)

HybridITarchitectures(forexample,DirectConnect,StorageGateway,VPC,DirectoryServices)


2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.


OperateandextendservicemanagementinahybridITarchitecture





AWSsecurityattributes(customerworkloadsdowntothephysicallayer)

AmazonVirtualPrivateCloud(VPC)

Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit

“Core”AmazonEC2andS3securityfeaturesets

Incorporatingcommonconventionalsecurityproducts(FirewallandVPNs)

Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,andsoon)

IntroductionTheAmazonVirtualPrivateCloud(AmazonVPC)isacustom-definedvirtualnetworkwithintheAWSCloud.YoucanprovisionyourownlogicallyisolatedsectionofAWS,similartodesigningandimplementingaseparateindependentnetworkthatwouldoperateinanon-premisesdatacenter.ThischapterexploresthecorecomponentsofAmazonVPCand,intheexercises,youlearnhowtobuildyourownAmazonVPCinthecloud.AstrongunderstandingofAmazonVPCtopologyandtroubleshootingisrequiredtopasstheexam,andwehighlyrecommendthatyoucompletetheexercisesinthischapter.

AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCisthenetworkinglayerforAmazonElasticComputeCloud(AmazonEC2),anditallowsyoutobuildyourownvirtualnetworkwithinAWS.YoucontrolvariousaspectsofyourAmazonVPC,includingselectingyourownIPaddressrange;creatingyourownsubnets;andconfiguringyourownroutetables,networkgateways,andsecuritysettings.Withinaregion,youcancreatemultipleAmazonVPCs,andeachAmazonVPCislogicallyisolatedevenifitsharesitsIPaddressspace.

WhenyoucreateanAmazonVPC,youmustspecifytheIPv4addressrangebychoosingaClasslessInter-DomainRouting(CIDR)block,suchas10.0.0.0/16.TheaddressrangeoftheAmazonVPCcannotbechangedaftertheAmazonVPCiscreated.AnAmazonVPCaddressrangemaybeaslargeas/16(65,536availableaddresses)orassmallas/28(16availableaddresses)andshouldnotoverlapanyothernetworkwithwhichtheyaretobeconnected.

TheAmazonVPCservicewasreleasedaftertheAmazonEC2service;becauseofthis,therearetwodifferentnetworkingplatformsavailablewithinAWS:EC2-ClassicandEC2-VPC.AmazonEC2originallylaunchedwithasingle,flatnetworksharedwithotherAWScustomerscalledEC2-Classic.Assuch,AWSaccountscreatedpriortothearrivaloftheAmazonVPCservicecanlaunchinstancesintotheEC2-ClassicnetworkandEC2-VPC.AWSaccountscreatedafterDecember2013onlysupportlaunchinginstancesusingEC2-VPC.AWSaccountsthatsupportEC2-VPCwillhaveadefaultVPCcreatedineachregionwithadefaultsubnetcreatedineachAvailabilityZone.TheassignedCIDRblockoftheVPCwillbe172.31.0.0/16.

Figure4.1illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,twosubnetswithdifferentaddressranges(10.0.0.0/24and10.0.1.0/24)placedindifferentAvailabilityZones,andaroutetablewiththelocalroutespecified.

FIGURE4.1VPC,subnets,andaroutetable

AnAmazonVPCconsistsofthefollowingcomponents:

Subnets

Routetables

DynamicHostConfigurationProtocol(DHCP)optionsets

Securitygroups

NetworkAccessControlLists(ACLs)

AnAmazonVPChasthefollowingoptionalcomponents:

InternetGateways(IGWs)

ElasticIP(EIP)addresses

ElasticNetworkInterfaces(ENIs)

Endpoints

Peering

NetworkAddressTranslation(NATs)instancesandNATgateways

VirtualPrivateGateway(VPG),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)

SubnetsAsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanlaunchAmazonEC2instances,AmazonRelationalDatabaseService(AmazonRDS)databases,andotherAWSresources.CIDRblocksdefinesubnets(forexample,10.0.1.0/24and192.168.0.0/24).Thesmallestsubnetthatyoucancreateisa/28(16IPaddresses).AWSreservesthefirstfourIPaddressesandthelastIPaddressofeverysubnetforinternalnetworkingpurposes.Forexample,asubnetdefinedasa/28has16availableIPaddresses;subtractthe5IPsneededbyAWStoyield11IPaddressesforyourusewithinthesubnet.

AftercreatinganAmazonVPC,youcanaddoneormoresubnetsineachAvailabilityZone.SubnetsresidewithinoneAvailabilityZoneandcannotspanzones.Thisisanimportantpointthatcancomeupintheexam,sorememberthatonesubnetequalsoneAvailabilityZone.Youcan,however,havemultiplesubnetsinoneAvailabilityZone.

Subnetscanbeclassifiedaspublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetable(discussedlater)directsthesubnet’straffictotheAmazonVPC’sIGW(alsodiscussedlater).Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPG(discussedlater)anddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(thatis,non-routableontheInternet).

DefaultAmazonVPCscontainonepublicsubnetineveryAvailabilityZonewithintheregion,withanetmaskof/20.

RouteTablesAroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).

Eachroutetablecontainsadefaultroutecalledthelocalroute,whichenablescommunicationwithintheAmazonVPC,andthisroutecannotbemodifiedorremoved.AdditionalroutescanbeaddedtodirecttraffictoexittheAmazonVPCviatheIGW(discussedlater),theVPG(discussedlater),ortheNATinstance(discussedlater).Intheexercisesattheendofthischapter,youcanpracticehowthisisaccomplished.

Youshouldrememberthefollowingpointsaboutroutetables:

YourVPChasanimplicitrouter.

YourVPCautomaticallycomeswithamainroutetablethatyoucanmodify.

YoucancreateadditionalcustomroutetablesforyourVPC.

Eachsubnetmustbeassociatedwitharoutetable,whichcontrolstheroutingforthesubnet.Ifyoudon’texplicitlyassociateasubnetwithaparticularroutetable,thesubnetusesthemainroutetable.

Youcanreplacethemainroutetablewithacustomtablethatyou’vecreatedsothateachnewsubnetisautomaticallyassociatedwithit.

EachrouteinatablespecifiesadestinationCIDRandatarget;forexample,trafficdestinedfor172.16.0.0/12istargetedfortheVPG.AWSusesthemostspecificroutethatmatchesthetraffictodeterminehowtoroutethetraffic.

InternetGatewaysAnInternetGateway(IGW)isahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.

AmazonEC2instanceswithinanAmazonVPCareonlyawareoftheirprivateIPaddresses.WhentrafficissentfromtheinstancetotheInternet,theIGWtranslatesthereplyaddresstotheinstance’spublicIPaddress(orEIPaddress,coveredlater)andmaintainstheone-to-onemapoftheinstanceprivateIPaddressandpublicIPaddress.WhenaninstancereceivestrafficfromtheInternet,theIGWtranslatesthedestinationaddress(publicIPaddress)totheinstance’sprivateIPaddressandforwardsthetraffictotheAmazonVPC.

YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:

AttachanIGWtoyourAmazonVPC.

Createasubnetroutetableruletosendallnon-localtraffic(0.0.0.0/0)totheIGW.

ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.

YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:

AssignapublicIPaddressorEIPaddress.

Youcanscopetheroutetoalldestinationsnotexplicitlyknowntotheroutetable(0.0.0.0/0),oryoucanscopetheroutetoanarrowerrangeofIPaddresses,suchasthepublicIPaddressesofyourcompany’spublicendpointsoutsideofAWSortheEIPaddressesofotherAmazonEC2instancesoutsideyourAmazonVPC.

Figure4.2illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,onesubnetwithanaddressrangeof10.0.0.0/24,aroutetable,anattachedIGW,andasingleAmazonEC2instancewithaprivateIPaddressandanEIPaddress.Theroutetablecontainstworoutes:thelocalroutethatpermitsinter-VPCcommunicationandaroutethatsendsallnon-localtraffictotheIGW(igw-id).NotethattheAmazonEC2instancehasapublicIPaddress(EIP=198.51.100.2);thisinstancecanbeaccessedfromtheInternet,andtrafficmayoriginateandreturntothisinstance.

FIGURE4.2VPC,subnet,routetable,andanInternetgateway

DynamicHostConfigurationProtocol(DHCP)OptionSetsDynamicHostConfigurationProtocol(DHCP)providesastandardforpassingconfigurationinformationtohostsonaTCP/IPnetwork.TheoptionsfieldofaDHCPmessagecontainstheconfigurationparameters.Someofthoseparametersarethedomainname,domainnameserver,andthenetbios-node-type.

AWSautomaticallycreatesandassociatesaDHCPoptionsetforyourAmazonVPCuponcreationandsetstwooptions:domain-name-servers(defaultedtoAmazonProvidedDNS)anddomain-name(defaultedtothedomainnameforyourregion).AmazonProvidedDNSisanAmazonDomainNameSystem(DNS)server,andthisoptionenablesDNSforinstancesthatneedtocommunicateovertheAmazonVPC’sIGW.

TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmentstoyourownresources.Toassignyourowndomainnametoyourinstances,createacustomDHCPoptionsetandassignittoyourAmazonVPC.YoucanconfigurethefollowingvalueswithinaDHCPoptionset:

domain-name-servers—TheIPaddressesofuptofourdomainnameservers,separatedbycommas.ThedefaultisAmazonProvidedDNS.

domain-name—Specifythedesireddomainnamehere(forexample,mycompany.com).

ntp-servers—TheIPaddressesofuptofourNetworkTimeProtocol(NTP)servers,separatedbycommas

netbios-name-servers—TheIPaddressesofuptofourNetBIOSnameservers,separatedbycommas

netbios-node-type—Setthisvalueto2.

EveryAmazonVPCmusthaveonlyoneDHCPoptionsetassignedtoit.

ElasticIPAddresses(EIPs)AWSmaintainsapoolofpublicIPaddressesineachregionandmakesthemavailableforyoutoassociatetoresourceswithinyourAmazonVPCs.AnElasticIPAddresses(EIP)isastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.HerearetheimportantpointstounderstandaboutEIPsfortheexam:

YoumustfirstallocateanEIPforusewithinaVPCandthenassignittoaninstance.

EIPsarespecifictoaregion(thatis,anEIPinoneregioncannotbeassignedtoaninstancewithinanAmazonVPCinadifferentregion).

Thereisaone-to-onerelationshipbetweennetworkinterfacesandEIPs.

YoucanmoveEIPsfromoneinstancetoanother,eitherinthesameAmazonVPCoradifferentAmazonVPCwithinthesameregion.

EIPsremainassociatedwithyourAWSaccountuntilyouexplicitlyreleasethem.

TherearechargesforEIPsallocatedtoyouraccount,evenwhentheyarenotassociatedwitharesource.

ElasticNetworkInterfaces(ENIs)AnElasticNetworkInterface(ENI)isavirtualnetworkinterfacethatyoucanattachtoaninstanceinanAmazonVPC.ENIsareonlyavailablewithinanAmazonVPC,andtheyareassociatedwithasubnetuponcreation.TheycanhaveonepublicIPaddressandmultipleprivateIPaddresses.IftherearemultipleprivateIPaddresses,oneofthemisprimary.AssigningasecondnetworkinterfacetoaninstanceviaanENIallowsittobedual-homed(havenetworkpresenceindifferentsubnets).AnENIcreatedindependentlyofaparticularinstancepersistsregardlessofthelifetimeofanyinstancetowhichitisattached;ifanunderlyinginstancefails,theIPaddressmaybepreservedbyattachingtheENItoareplacementinstance.

ENIsallowyoutocreateamanagementnetwork,usenetworkandsecurityappliancesinyourAmazonVPC,createdual-homedinstanceswithworkloads/rolesondistinctsubnets,orcreatealow-budget,high-availabilitysolution.

EndpointsAnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.

AmazonVPCendpointscurrentlysupportcommunicationwithAmazonSimpleStorageService(AmazonS3),andotherservicesareexpectedtobeaddedinthefuture.

YoumustdothefollowingtocreateanAmazonVPCendpoint:

SpecifytheAmazonVPC.

Specifytheservice.Aserviceisidentifiedbyaprefixlistoftheformcom.amazonaws.<region>.<service>.

Specifythepolicy.Youcanallowfullaccessorcreateacustompolicy.Thispolicycanbechangedatanytime.

Specifytheroutetables.Aroutewillbeaddedtoeachspecifiedroutetable,whichwillstatetheserviceasthedestinationandtheendpointasthetarget.

Table4.1isanexampleroutetablethathasanexistingroutethatdirectsallInternettraffic(0.0.0.0/0)toanIGW.AnytrafficfromthesubnetthatisdestinedforanotherAWSservice(forexample,AmazonS3orAmazonDynamoDB)willbesenttotheIGWinordertoreachthatservice.

TABLE4.1RouteTablewithanIGWRoutingRule

Destination Target10.0.0.0/16 Local

0.0.0.0/0 igw-1a2b3c4d

Table4.2isanexampleroutetablethathasexistingroutesdirectingallInternettraffictoanIGWandallAmazonS3traffictotheAmazonVPCendpoint.

TABLE4.2RouteTablewithanIGWRoutingRuleandVPCEndpointRule

Destination Target10.0.0.0/16 Local

0.0.0.0/0 igw-1a2b3c4d

pl-1a2b3c4d vpce-11bb22cc

TheroutetabledepictedinTable4.2willdirectanytrafficfromthesubnetthat’sdestinedforAmazonS3inthesameregiontotheendpoint.AllotherInternettrafficgoestoyourIGW,includingtrafficthat’sdestinedforotherservicesandforAmazonS3inotherregions.

PeeringAnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoranAmazonVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.

Peeringconnectionsarecreatedthrougharequest/acceptprotocol.TheowneroftherequestingAmazonVPCsendsarequesttopeertotheownerofthepeerAmazonVPC.IfthepeerAmazonVPCiswithinthesameaccount,itisidentifiedbyitsVPCID.IfthepeerVPCiswithinadifferentaccount,itisidentifiedbyAccountIDandVPCID.TheownerofthepeerAmazonVPChasoneweektoacceptorrejecttherequesttopeerwiththerequestingAmazonVPCbeforethepeeringrequestexpires.

AnAmazonVPCmayhavemultiplepeeringconnections,andpeeringisaone-to-onerelationshipbetweenAmazonVPCs,meaningtwoAmazonVPCscannothavetwopeeringagreementsbetweenthem.Also,peeringconnectionsdonotsupporttransitiverouting.Figure4.3depictstransitiverouting.

FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting

InFigure4.3,VPCAhastwopeeringconnectionswithtwodifferentVPCs:VPCBandVPCC.Therefore,VPCAcancommunicatedirectlywithVPCsBandC.Becausepeeringconnectionsdonotsupporttransitiverouting,VPCAcannotbeatransitpointfortrafficbetweenVPCsBandC.InorderforVPCsBandCtocommunicatewitheachother,apeeringconnectionmustbeexplicitlycreatedbetweenthem.

Herearetheimportantpointstounderstandaboutpeeringfortheexam:

YoucannotcreateapeeringconnectionbetweenAmazonVPCsthathavematchingoroverlappingCIDRblocks.

YoucannotcreateapeeringconnectionbetweenAmazonVPCsindifferentregions.

AmazonVPCpeeringconnectionsdonotsupporttransitiverouting.

YoucannothavemorethanonepeeringconnectionbetweenthesametwoAmazonVPCsatthesametime.

SecurityGroupsAsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundnetworktraffictoAWSresourcesandAmazonEC2instances.AllAmazonEC2instancesmustbelaunchedintoasecuritygroup.Ifasecuritygroupisnotspecifiedatlaunch,thentheinstancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.Table4.3describesthesettingsofthedefaultsecuritygroup.

TABLE4.3SecurityGroupRules

Inbound

Source Protocol PortRange

Comments

sg-xxxxxxxx All All Allowinboundtrafficfrominstanceswithinthesamesecuritygroup.

Outbound

Destination Protocol PortRange

Comments

0.0.0.0/0 All All Allowalloutboundtraffic.

Foreachsecuritygroup,youaddrulesthatcontroltheinboundtraffictoinstancesandaseparatesetofrulesthatcontroltheoutboundtraffic.Forexample,Table4.4describesasecuritygroupforwebservers.

TABLE4.4SecurityGroupRulesforaWebServer

Inbound

Source Protocol PortRange

Comments

0.0.0.0/0 TCP 80 AllowinboundtrafficfromtheInternettoport80.

Yournetwork’spublicIPaddressrange

TCP 22 AllowSecureShell(SSH)trafficfromyourcompanynetwork.

Yournetwork’spublicIPaddressrange

TCP 3389 AllowRemoteDesktopProtocol(RDP)trafficfromyourcompanynetwork.

Outbound

Destination Protocol PortRange

Comments

TheIDofthesecuritygroupforyourMySQLdatabaseservers

TCP 3306 AllowoutboundMySQLaccesstoinstancesinthespecifiedsecuritygroup.

TheIDofthesecuritygroupforyourMicrosoftSQLServerdatabaseservers

TCP 1433 AllowoutboundMicrosoftSQLServeraccesstoinstancesinthespecifiedsecuritygroup.

Herearetheimportantpointstounderstandaboutsecuritygroupsfortheexam:

Youcancreateupto500securitygroupsforeachAmazonVPC.

Youcanaddupto50inboundand50outboundrulestoeachsecuritygroup.Ifyouneedtoapplymorethan100rulestoaninstance,youcanassociateuptofivesecuritygroupswitheachnetworkinterface.

Youcanspecifyallowrules,butnotdenyrules.ThisisanimportantdifferencebetweensecuritygroupsandACLs.

Youcanspecifyseparaterulesforinboundandoutboundtraffic.

Bydefault,noinboundtrafficisalloweduntilyouaddinboundrulestothesecuritygroup.

Bydefault,newsecuritygroupshaveanoutboundrulethatallowsalloutboundtraffic.Youcanremovetheruleandaddoutboundrulesthatallowspecificoutboundtrafficonly.

Securitygroupsarestateful.Thismeansthatresponsestoallowedinboundtrafficareallowedtoflowoutboundregardlessofoutboundrulesandviceversa.ThisisanimportantdifferencebetweensecuritygroupsandnetworkACLs.

Instancesassociatedwiththesamesecuritygroupcan’ttalktoeachotherunlessyouaddrulesallowingit(withtheexceptionbeingthedefaultsecuritygroup).

Youcanchangethesecuritygroupswithwhichaninstanceisassociatedafterlaunch,

andthechangeswilltakeeffectimmediately.

NetworkAccessControlLists(ACLs)Anetworkaccesscontrollist(ACL)isanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AnetworkACLisanumberedlistofrulesthatAWSevaluatesinorder,startingwiththelowestnumberedrule,todeterminewhethertrafficisallowedinoroutofanysubnetassociatedwiththenetworkACL.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.WhenyoucreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreaterulesthatallowotherwise.YoumaysetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddalayerofsecuritytoyourAmazonVPC,oryoumaychoosetousethedefaultnetworkACLthatdoesnotfiltertraffictraversingthesubnetboundary.Overall,everysubnetmustbeassociatedwithanetworkACL.

Table4.5explainsthedifferencesbetweenasecuritygroupandanetworkACL.YoushouldrememberthefollowingdifferencesbetweensecuritygroupsandnetworkACLsfortheexam.

TABLE4.5ComparisonofSecurityGroupsandNetworkACLs

SecurityGroup NetworkACL

Operatesattheinstancelevel(firstlayerofdefense)

Operatesatthesubnetlevel(secondlayerofdefense)

Supportsallowrulesonly Supportsallowrulesanddenyrules

Stateful:Returntrafficisautomaticallyallowed,regardlessofanyrules

Stateless:Returntrafficmustbeexplicitlyallowedbyrules.

AWSevaluatesallrulesbeforedecidingwhethertoallowtraffic

AWSprocessesrulesinnumberorderwhendecidingwhethertoallowtraffic.

Appliedselectivelytoindividualinstances

Automaticallyappliedtoallinstancesintheassociatedsubnets;thisisabackuplayerofdefense,soyoudon’thavetorelyonsomeonespecifyingthesecuritygroup.

NetworkAddressTranslation(NAT)InstancesandNATGatewaysBydefault,anyinstancethatyoulaunchintoaprivatesubnetinanAmazonVPCisnotabletocommunicatewiththeInternetthroughtheIGW.ThisisproblematiciftheinstanceswithinprivatesubnetsneeddirectaccesstotheInternetfromtheAmazonVPCinordertoapplysecurityupdates,downloadpatches,orupdateapplicationsoftware.AWSprovidesNATinstancesandNATgatewaystoallowinstancesdeployedinprivatesubnetstogainInternetaccess.Forcommonusecases,werecommendthatyouuseaNATgatewayinsteadofaNATinstance.TheNATgatewayprovidesbetteravailabilityandhigherbandwidth,andrequireslessadministrativeeffortthanNATinstances.

NATInstanceAnetworkaddresstranslation(NAT)instanceisanAmazonLinuxAmazonMachineImage(AMI)thatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.Theseinstanceshavethestringamzn-ami-vpc-natintheirnames,whichissearchableintheAmazonEC2console.

ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATinstance,youmustdothefollowing:

CreateasecuritygroupfortheNATwithoutboundrulesthatspecifytheneededInternetresourcesbyport,protocol,andIPaddress.

LaunchanAmazonLinuxNATAMIasaninstanceinapublicsubnetandassociateitwiththeNATsecuritygroup.

DisabletheSource/DestinationCheckattributeoftheNAT.

ConfiguretheroutetableassociatedwithaprivatesubnettodirectInternet-boundtraffictotheNATinstance(forexample,i-1a2b3c4d).

AllocateanEIPandassociateitwiththeNATinstance.

ThisconfigurationallowsinstancesinprivatesubnetstosendoutboundInternetcommunication,butitpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.

NATGatewayANATgatewayisanAmazonmanagedresourcethatisdesignedtooperatejustlikeaNATinstance,butitissimplertomanageandhighlyavailablewithinanAvailabilityZone.

ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATgateway,youmustdothefollowing:

ConfiguretheroutetableassociatedwiththeprivatesubnettodirectInternet-bound

traffictotheNATgateway(forexample,nat-1a2b3c4d).

AllocateanEIPandassociateitwiththeNATgateway.

LikeaNATinstance,thismanagedserviceallowsoutboundInternetcommunicationandpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.

TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.

TheexerciseswilldemonstratehowaNATgatewayworks.

VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)YoucanconnectanexistingdatacentertoAmazonVPCusingeitherhardwareorsoftwareVPNconnections,whichwillmakeAmazonVPCanextensionofthedatacenter.AmazonVPCofferstwowaystoconnectacorporatenetworktoaVPC:VPGandCGW.

Avirtualprivategateway(VPG)isthevirtualprivatenetwork(VPN)concentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.Acustomergateway(CGW)representsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthecustomer’ssideoftheVPNconnection.Figure4.4illustratesasingleVPNconnectionbetweenacorporatenetworkandanAmazonVPC.

FIGURE4.4VPCwithVPNconnectiontoacustomernetwork

YoumustspecifythetypeofroutingthatyouplantousewhenyoucreateaVPNconnection.IftheCGWsupportsBorderGatewayProtocol(BGP),thenconfiguretheVPNconnectionfordynamicrouting.Otherwise,configuretheconnectionsforstaticrouting.Ifyouwillbeusingstaticrouting,youmustentertheroutesforyournetworkthatshouldbecommunicatedtotheVPG.RouteswillbepropagatedtotheAmazonVPCtoallowyourresourcestoroutenetworktrafficbacktothecorporatenetworkthroughtheVGWandacrosstheVPNtunnel.

AmazonVPCalsosupportsmultipleCGWs,eachhavingaVPNconnectiontoasingleVPG(many-to-onedesign).Inordertosupportthistopology,theCGWIPaddressesmustbeuniquewithintheregion.

AmazonVPCwillprovidetheinformationneededbythenetworkadministratortoconfiguretheCGWandestablishtheVPNconnectionwiththeVPG.TheVPNconnectionconsistsoftwoInternetProtocolSecurity(IPSec)tunnelsforhigheravailabilitytotheAmazonVPC.

FollowingaretheimportantpointstounderstandaboutVPGs,CGWs,andVPNsfortheexam:

TheVPGistheAWSendoftheVPNtunnel.

TheCGWisahardwareorsoftwareapplicationonthecustomer’ssideoftheVPNtunnel.

YoumustinitiatetheVPNtunnelfromtheCGWtotheVPG.

VPGssupportbothdynamicroutingwithBGPandstaticrouting.

TheVPNconnectionconsistsoftwotunnelsforhigheravailabilitytotheVPC.

SummaryInthischapter,youlearnedthatAmazonVPCisthenetworkinglayerforAmazonEC2,anditallowsyoutocreateyourownprivatevirtualnetworkwithinthecloud.YoucanprovisionyourownlogicallyisolatedsectionofAWSsimilartodesigningandimplementingaseparateindependentnetworkthatyou’doperateinaphysicaldatacenter.

AVPCconsistsofthefollowingcomponents:

Subnets

Routetables

DHCPoptionsets

Securitygroups

NetworkACLs

AVPChasthefollowingoptionalcomponents:

IGWs

EIPaddresses

Endpoints

Peering

NATinstanceandNATgateway

VPG,CGW,andVPN

Subnetscanbepublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sIGW.Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPGanddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(non-routableontheInternet).

AroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.

TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2host

nameassignmenttoyourownresources.Inorderforyoutoassignyourowndomainnametoyourinstances,youcreateacustomDHCPoptionsetandassignittoyourAmazonVPC.

AnEIPaddressisastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.

AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.

AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheywerewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoraVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.

AsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundtraffictoAmazonEC2instances.WhenyoufirstlaunchanAmazonEC2instanceintoanAmazonVPC,youmustspecifythesecuritygroupwithwhichitwillbeassociated.AWSprovidesadefaultsecuritygroupforyouruse,whichhasrulesthatallowallinstancesassociatedwiththesecuritygrouptocommunicatewitheachotherandallowalloutboundtraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.

AnetworkACLisanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.IfyouwanttocreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreatearulethatstatesotherwise.

ANATinstanceisacustomer-managedinstancethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.

ANATgatewayisanAWS-managedservicethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATgateway,andforwardthetraffictotheIGW.Inaddition,theNATgatewaymaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.

AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWisaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthe

customer’ssideoftheVPNconnection.

ExamEssentialsUnderstandwhataVPCisanditscoreandoptionalcomponents.AnAmazonVPCisalogicallyisolatednetworkintheAWSCloud.AnAmazonVPCismadeupofthefollowingcoreelements:subnets(public,private,andVPN-only),routetables,DHCPoptionsets,securitygroups,andnetworkACLs.OptionalelementsincludeanIGW,EIPaddresses,endpoints,peeringconnections,NATinstances,VPGs,CGWs,andVPNconnections.

Understandthepurposeofasubnet.AsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanplacegroupsofisolatedresources.SubnetsaredefinedbyCIDRblocks—forexample,10.0.1.0/24and10.0.2.0/24—andarecontainedwithinanAvailabilityZone.

Identifythedifferencebetweenapublicsubnet,aprivatesubnet,andaVPN-Onlysubnet.Ifasubnet’strafficisroutedtoanIGW,thesubnetisknownasapublicsubnet.Ifasubnetdoesn’thavearoutetotheIGW,thesubnetisknownasaprivatesubnet.Ifasubnetdoesn’thavearoutetotheIGW,buthasitstrafficroutedtoaVPG,thesubnetisknownasaVPN-onlysubnet.

Understandthepurposeofaroutetable.Aroutetableisasetofrules(calledroutes)thatareusedtodeterminewherenetworktrafficisdirected.AroutetableallowsAmazonEC2instanceswithindifferentsubnetstocommunicatewitheachother(withinthesameAmazonVPC).TheAmazonVPCrouteralsoenablessubnets,IGWs,andVPGstocommunicatewitheachother.

UnderstandthepurposeofanIGW.AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletrafficandperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.

UnderstandwhatDHCPoptionsetsprovidetoanAmazonVPC.TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmenttoyourownresources.YoucanspecifythedomainnameforinstanceswithinanAmazonVPCandidentifytheIPaddressesofcustomDNSservers,NTPservers,andNetBIOSservers.

KnowthedifferencebetweenanAmazonVPCpublicIPaddressandanEIPaddress.ApublicIPaddressisanAWS-ownedIPthatcanbeautomaticallyassignedtoinstanceslaunchedwithinasubnet.AnEIPaddressisanAWS-ownedpublicIPaddressthatyouallocatetoyouraccountandassigntoinstancesornetworkinterfacesondemand.

UnderstandwhatendpointsprovidetoanAmazonVPC.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,aVPNconnection,orAWSDirectConnect.Endpointssupportserviceswithintheregiononly.

UnderstandAmazonVPCpeering.AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.Peeringconnections

arecreatedthrougharequest/acceptprotocol.Transitivepeeringisnotsupported,andpeeringisonlyavailablebetweenAmazonVPCswithinthesameregion.

KnowthedifferencebetweenasecuritygroupandanetworkACL.Asecuritygroupappliesattheinstancelevel.Youcanhavemultipleinstancesinmultiplesubnetsthataremembersofthesamesecuritygroups.Securitygroupsarestateful,whichmeansthatreturntrafficisautomaticallyallowed,regardlessofanyoutboundrules.AnetworkACLisappliedonasubnetlevel,andtrafficisstateless.YouneedtoallowbothinboundandoutboundtrafficonthenetworkACLinorderforAmazonEC2instancesinasubnettobeabletocommunicateoveraparticularprotocol.

UnderstandwhataNATprovidestoanAmazonVPC.ANATinstanceorNATgatewayenablesinstancesinaprivatesubnettoinitiateoutboundtraffictotheInternet.ThisallowsoutboundInternetcommunicationtodownloadpatchesandupdates,forexample,butpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.

UnderstandthecomponentsneededtoestablishaVPNconnectionfromanetworktoanAmazonVPC.AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWrepresentsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.TheVPNconnectionmustbeinitiatedfromtheCGWside,andtheconnectionconsistsoftwoIPSectunnels.

ExercisesThebestwaytobecomefamiliarwithAmazonVPCistobuildyourowncustomAmazonVPCandthendeployAmazonEC2instancesintoit,whichiswhatyou’llbedoinginthissection.YoushouldrepeattheseexercisesuntilyoucancreateanddecommissionAmazonVPCswithconfidence.

Forassistancecompletingtheseexercises,refertotheAmazonVPCUserGuidelocatedathttp://aws.amazon.com/documentation/vpc/.

EXERCISE4.1

CreateaCustomAmazonVPC1. SignintotheAWSManagementConsoleasanadministratororpoweruser.

2. SelecttheAmazonVPCicontolaunchtheAmazonVPCDashboard.

3. CreateanAmazonVPCwithaCIDRblockequalto192.168.0.0/16,anametagofMyFirstVPC,anddefaulttenancy.

YouhavecreatedyourfirstcustomVPC.

EXERCISE4.2

CreateTwoSubnetsforYourCustomAmazonVPC1. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofMy

FirstPublicSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).

2. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofMyFirstPrivateSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyadifferentAvailabilityZoneforthesubnetthanpreviouslyspecified(forexample,US-East-1b).

Youhavenowcreatedtwonewsubnets,eachinitsownAvailabilityZone.It’simportanttorememberthatonesubnetequalsoneAvailabilityZone.YoucannotstretchasubnetacrossmultipleAvailabilityZones.

http://aws.amazon.com/documentation/vpc/

EXERCISE4.3

ConnectYourCustomAmazonVPCtotheInternetandEstablishRoutingForassistancewiththisexercise,refertotheAmazonEC2keypairdocumentationat:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Foradditionalassistancewiththisexercise,refertotheNATinstancesdocumentationat:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance

.html#NATInstance

1. CreateanAmazonEC2keypairinthesameregionasyourcustomAmazonVPC.

2. CreateanIGWwithanametagofMyFirstIGWandattachittoyourcustomAmazonVPC.

3. AddaroutetothemainroutetableforyourcustomAmazonVPCthatdirectsInternettraffic(0.0.0.0/0)totheIGW.

4. CreateaNATgateway,placeitinthepublicsubnetofyourcustomAmazonVPC,andassignitanEIP.

5. CreateanewroutetablewithanametagofMyFirstPrivateRouteTableandplaceitwithinyourcustomAmazonVPC.AddaroutetoitthatdirectsInternettraffic(0.0.0.0/0)totheNATgatewayandassociateitwiththeprivatesubnet.

YouhavenowcreatedaconnectiontotheInternetforresourceswithinyourAmazonVPC.YouestablishedroutingrulesthatdirectInternettraffictotheIGWregardlessoftheoriginatingsubnet.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATInstance

EXERCISE4.4

LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet1. Launchat2.microAmazonLinuxAMIasanAmazonEC2instanceintothepublicsubnetofyourcustomAmazonVPC,giveitanametagofMyFirstPublicInstance,andselectthenewly-createdkeypairforsecureaccesstotheinstance.

2. SecurelyaccesstheAmazonEC2instanceinthepublicsubnetviaSSHwiththenewly-createdkeypair.

3. Executeanupdatetotheoperatingsysteminstancelibrariesbyexecutingthefollowingcommand:

#sudoyumupdate-y

4. YoushouldseeoutputshowingtheinstancedownloadingsoftwarefromtheInternetandinstallingit.

YouhavenowprovisionedanAmazonEC2instanceinapublicsubnet.YoucanapplypatchestotheAmazonEC2instanceinthepublicsubnet,andyouhavedemonstratedconnectivitytotheInternet.

ReviewQuestions1. WhatistheminimumsizesubnetthatyoucanhaveinanAmazonVPC?

A. /24

B. /26

C. /28

D. /30

2. YouareasolutionsarchitectworkingforalargetravelcompanythatismigratingitsexistingserverestatetoAWS.YouhaverecommendedthattheyuseacustomAmazonVPC,andtheyhaveagreedtoproceed.Theywillneedapublicsubnetfortheirwebserversandaprivatesubnetinwhichtoplacetheirdatabases.Theyalsorequirethatthewebserversanddatabaseserversbehighlyavailableandthattherebeaminimumoftwowebserversandtwodatabaseserverseach.Howmanysubnetsshouldyouhavetomaintainhighavailability?

A. 2

B. 3

C. 4

D. 1

3. WhichofthefollowingisanoptionalsecuritycontrolthatcanbeappliedatthesubnetlayerofaVPC?

A. NetworkACL

B. SecurityGroup

C. Firewall

D. Webapplicationfirewall

4. WhatisthemaximumsizeIPaddressrangethatyoucanhaveinanAmazonVPC?

A. /16

B. /24

C. /28

D. /30

5. YoucreateanewsubnetandthenaddaroutetoyourroutetablethatroutestrafficoutfromthatsubnettotheInternetusinganIGW.Whattypeofsubnethaveyoucreated?

A. Aninternalsubnet

B. Aprivatesubnet

C. Anexternalsubnet

D. Apublicsubnet

6. WhathappenswhenyoucreateanewAmazonVPC?

A. Amainroutetableiscreatedbydefault.

B. Threesubnetsarecreatedbydefault—oneforeachAvailabilityZone.

C. ThreesubnetsarecreatedbydefaultinoneAvailabilityZone.

D. AnIGWiscreatedbydefault.

7. YoucreateanewVPCinUS-East-1andprovisionthreesubnetsinsidethisAmazonVPC.Whichofthefollowingstatementsistrue?

A. Bydefault,thesesubnetswillnotbeabletocommunicatewitheachother;youwillneedtocreateroutes.

B. Allsubnetsarepublicbydefault.

C. Allsubnetswillbeabletocommunicatewitheachotherbydefault.

D. EachsubnetwillhaveidenticalCIDRblocks.

8. HowmanyIGWscanyouattachtoanAmazonVPCatanyonetime?

A. 1

B. 2

C. 3

D. 4

9. WhataspectofanAmazonVPCisstateful?

A. NetworkACLs

B. Securitygroups

C. AmazonDynamoDB

D. AmazonS3

10. YouhavecreatedacustomAmazonVPCwithbothprivateandpublicsubnets.YouhavecreatedaNATinstanceanddeployedthisinstancetoapublicsubnet.YouhaveattachedanEIPaddressandaddedyourNATtotheroutetable.Unfortunately,instancesinyourprivatesubnetstillcannotaccesstheInternet.Whatmaybethecauseofthis?

A. YourNATisinapublicsubnet,butitneedstobeinaprivatesubnet.

B. YourNATshouldbebehindanElasticLoadBalancer.

C. Youshoulddisablesource/destinationchecksontheNAT.

D. YourNAThasbeendeployedonaWindowsinstance,butyourotherinstancesareLinux.YoushouldredeploytheNATontoaLinuxinstance.

11. WhichofthefollowingwilloccurwhenanAmazonElasticBlockStore(AmazonEBS)-backedAmazonEC2instanceinanAmazonVPCwithanassociatedEIPisstoppedandstarted?(Choose2answers)

A. TheEIPwillbedissociatedfromtheinstance.

B. Alldataoninstance-storedeviceswillbelost.

C. AlldataonAmazonEBSdeviceswillbelost.

D. TheENIisdetached.

E. Theunderlyinghostfortheinstanceischanged.

12. HowmanyVPCPeeringconnectionsarerequiredforfourVPCslocatedwithinthesameAWSregiontobeabletosendtraffictoeachoftheothers?

A. 3

B. 4

C. 5

D. 6

13. WhichofthefollowingAWSresourceswouldyouuseinorderforanEC2-VPCinstancetoresolveDNSnamesoutsideofAWS?

A. AVPCpeeringconnection

B. ADHCPoptionset

C. Aroutingrule

D. AnIGW

14. WhichofthefollowingistheAmazonsideofanAmazonVPNconnection?

A. AnEIP

B. ACGW

C. AnIGW

D. AVPG

15. WhatisthedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregion?

A. 5

B. 6

C. 7

D. ThereisnodefaultmaximumnumberofVPCswithinaregion.

16. Youareresponsibleforyourcompany’sAWSresources,andyounoticeasignificantamountoftrafficfromanIPaddressinaforeigncountryinwhichyourcompanydoesnothavecustomers.FurtherinvestigationofthetrafficindicatesthesourceofthetrafficisscanningforopenportsonyourEC2-VPCinstances.Whichoneofthefollowingresourcescandenythetrafficfromreachingtheinstances?

A. Securitygroup

B. NetworkACL

C. NATinstance

D. AnAmazonVPCendpoint

17. WhichofthefollowingisthesecurityprotocolsupportedbyAmazonVPC?

A. SSH

B. AdvancedEncryptionStandard(AES)

C. Point-to-PointTunnelingProtocol(PPTP)

D. IPsec

18. WhichofthefollowingAmazonVPCresourceswouldyouuseinorderforEC2-VPCinstancestosendtrafficdirectlytoAmazonS3?

A. AmazonS3gateway

B. IGW

C. CGW

D. VPCendpoint

19. WhatpropertiesofanAmazonVPCmustbespecifiedatthetimeofcreation?(Choose2answers)

A. TheCIDRblockrepresentingtheIPaddressrange

B. OneormoresubnetsfortheAmazonVPC

C. TheregionfortheAmazonVPC

D. AmazonVPCPeeringrelationships

20. WhichAmazonVPCfeatureallowsyoutocreateadual-homedinstance?

A. EIPaddress

B. ENI

C. Securitygroups

D. CGW

Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-effective,fault-tolerant,scalablesystems




2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.





CloudWatchLogs

Domain4.0:Troubleshooting


Generaltroubleshootinginformationandquestions

IntroductionInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkbothindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.

ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonElasticComputeCloud(AmazonEC2)instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.

AmazonCloudWatchisaservicethatmonitorsAWSCloudresourcesandapplicationsrunningonAWS.Itcollectsandtracksmetrics,collectsandmonitorslogfiles,andsetsalarms.AmazonCloudWatchhasabasiclevelofmonitoringfornocostandamoredetailedlevelofmonitoringforanadditionalcost.

AutoScalingisaservicethatallowsyoutomaintaintheavailabilityofyourapplicationsbyscalingAmazonEC2capacityupordowninaccordancewithconditionsyouset.

Thischaptercoversallthreeservicesseparately,butitalsohighlightshowtheycanworktogethertobuildmorerobustandhighlyavailablearchitecturesonAWS.

ElasticLoadBalancingAnadvantageofhavingaccesstoalargenumberofserversinthecloud,suchasAmazonEC2instancesonAWS,istheabilitytoprovideamoreconsistentexperiencefortheenduser.Onewaytoensureconsistencyistobalancetherequestloadacrossmorethanoneserver.AloadbalancerisamechanismthatautomaticallydistributestrafficacrossmultipleAmazonEC2instances.YoucaneithermanageyourownvirtualloadbalancersonAmazonEC2instancesorleverageanAWSCloudservicecalledElasticLoadBalancing,whichprovidesamanagedloadbalancerforyou.

TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZones,enablingyoutoachievehighavailabilityinyourapplications.ElasticLoadBalancingsupportsroutingandloadbalancingofHypertextTransferProtocol(HTTP),HypertextTransferProtocolSecure(HTTPS),TransmissionControlProtocol(TCP),andSecureSocketsLayer(SSL)traffictoAmazonEC2instances.ElasticLoadBalancingprovidesastable,singleCanonicalNamerecord(CNAME)entrypointforDomainNameSystem(DNS)configurationandsupportsbothInternet-facingandinternalapplication-facingloadbalancers.ElasticLoadBalancingsupportshealthchecksforAmazonEC2instancestoensuretrafficisnotroutedtounhealthyorfailinginstances.Also,ElasticLoadBalancingcanautomaticallyscalebasedoncollectedmetrics.

ThereareseveraladvantagesofusingElasticLoadBalancing.BecauseElasticLoadBalancingisamanagedservice,itscalesinandoutautomaticallytomeetthedemandsofincreasedapplicationtrafficandishighlyavailablewithinaregionitselfasaservice.ElasticLoadBalancinghelpsyouachievehighavailabilityforyourapplicationsbydistributingtrafficacrosshealthyinstancesinmultipleAvailabilityZones.Additionally,ElasticLoadBalancingseamlesslyintegrateswiththeAutoScalingservicetoautomaticallyscaletheAmazonEC2instancesbehindtheloadbalancer.Finally,ElasticLoadBalancingissecure,workingwithAmazonVirtualPrivateCloud(AmazonVPC)toroutetrafficinternallybetweenapplicationtiers,allowingyoutoexposeonlyInternet-facingpublicIPaddresses.ElasticLoadBalancingalsosupportsintegratedcertificatemanagementandSSLtermination.

ElasticLoadBalancingisahighlyavailableserviceitselfandcanbeusedtohelpbuildhighlyavailablearchitectures.

TypesofLoadBalancersElasticLoadBalancingprovidesseveraltypesofloadbalancersforhandlingdifferentkindsofconnectionsincludingInternet-facing,internal,andloadbalancersthatsupportencryptedconnections.

Internet-FacingLoadBalancersAnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.

Whenyouconfigurealoadbalancer,itreceivesapublicDNSnamethatclientscanusetosendrequeststoyourapplication.TheDNSserversresolvetheDNSnametoyourloadbalancer’spublicIPaddress,whichcanbevisibletoclientapplications.

AnAWSrecommendedbestpracticeisalwaystoreferencealoadbalancerbyitsDNSname,insteadofbytheIPaddressoftheloadbalancer,inordertoprovideasingle,stableentrypoint.

BecauseElasticLoadBalancingscalesinandouttomeettrafficdemand,itisnotrecommendedtobindanapplicationtoanIPaddressthatmaynolongerbepartofaloadbalancer’spoolofresources.

ElasticLoadBalancinginAmazonVPCsupportsIPv4addressesonly.ElasticLoadBalancinginEC2-ClassicsupportsbothIPv4andIPv6addresses.

InternalLoadBalancersInamulti-tierapplication,itisoftenusefultoloadbalancebetweenthetiersoftheapplication.Forexample,anInternet-facingloadbalancermightreceiveandbalanceexternaltraffictothepresentationorwebtierwhoseAmazonEC2instancesthensenditsrequeststoaloadbalancersittinginfrontoftheapplicationtier.YoucanuseinternalloadbalancerstoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.

HTTPSLoadBalancersYoucancreatealoadbalancerthatusestheSSL/TransportLayerSecurity(TLS)protocolforencryptedconnections(alsoknownasSSLoffload).ThisfeatureenablestrafficencryptionbetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessions,andforconnectionsbetweenyourloadbalancerandyourback-endinstances.ElasticLoadBalancingprovidessecuritypoliciesthathavepredefinedSSLnegotiationconfigurationstousetonegotiateconnectionsbetweenclientsandtheloadbalancer.InordertouseSSL,youmustinstallanSSLcertificateontheloadbalancerthatitusestoterminatetheconnectionandthendecryptrequestsfromclientsbeforesendingrequeststotheback-endAmazonEC2instances.Youcanoptionallychoosetoenableauthenticationonyourback-endinstances.

ElasticLoadBalancingdoesnotsupportServerNameIndication(SNI)onyourloadbalancer.ThismeansthatifyouwanttohostmultiplewebsitesonafleetofAmazonEC2instancesbehindElasticLoadBalancingwithasingleSSLcertificate,youwillneedtoaddaSubjectAlternativeName(SAN)foreachwebsitetothecertificatetoavoidsiteusersseeingawarningmessagewhenthesiteisaccessed.

ListenersEveryloadbalancermusthaveoneormorelistenersconfigured.Alistenerisaprocessthatchecksforconnectionrequests—forexample,aCNAMEconfiguredtotheArecordnameoftheloadbalancer.Everylistenerisconfiguredwithaprotocolandaport(clienttoloadbalancer)forafront-endconnectionandaprotocolandaportfortheback-end(loadbalancertoAmazonEC2instance)connection.ElasticLoadBalancingsupportsthefollowing

protocols:

HTTP

HTTPS

TCP

SSL

ElasticLoadBalancingsupportsprotocolsoperatingattwodifferentOpenSystemInterconnection(OSI)layers.IntheOSImodel,Layer4isthetransportlayerthatdescribestheTCPconnectionbetweentheclientandyourback-endinstancethroughtheloadbalancer.Layer4isthelowestlevelthatisconfigurableforyourloadbalancer.Layer7istheapplicationlayerthatdescribestheuseofHTTPandHTTPSconnectionsfromclientstotheloadbalancerandfromtheloadbalancertoyourback-endinstance.

TheSSLprotocolisprimarilyusedtoencryptconfidentialdataoverinsecurenetworkssuchastheInternet.TheSSLprotocolestablishesasecureconnectionbetweenaclientandtheback-endserverandensuresthatallthedatapassedbetweenyourclientandyourserverisprivate.

ConfiguringElasticLoadBalancingElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.ConfigurationsettingscanbemodifiedusingeithertheAWSManagementConsoleoraCommandLineInterface(CLI).Someoftheoptionsaredescribednext.

IdleConnectionTimeoutForeachrequestthataclientmakesthroughaloadbalancer,theloadbalancermaintainstwoconnections.Oneconnectioniswiththeclientandtheotherconnectionistotheback-endinstance.Foreachconnection,theloadbalancermanagesanidletimeoutthatistriggeredwhennodataissentovertheconnectionforaspecifiedtimeperiod.Aftertheidletimeoutperiodhaselapsed,ifnodatahasbeensentorreceived,theloadbalancerclosestheconnection.

Bydefault,ElasticLoadBalancingsetstheidletimeoutto60secondsforbothconnections.IfanHTTPrequestdoesn’tcompletewithintheidletimeoutperiod,theloadbalancerclosestheconnection,evenifdataisstillbeingtransferred.Youcanchangetheidletimeoutsettingfortheconnectionstoensurethatlengthyoperations,suchasfileuploads,havetimetocomplete.

IfyouuseHTTPandHTTPSlisteners,werecommendthatyouenablethekeep-aliveoptionforyourAmazonEC2instances.Youcanenablekeep-aliveinyourwebserversettingsorinthekernelsettingsforyourAmazonEC2instances.Keep-alive,whenenabled,allowstheloadbalancertoreuseconnectionstoyourback-endinstance,whichreducesCPUutilization.

Toensurethattheloadbalancerisresponsibleforclosingtheconnectionstoyourback-endinstance,makesurethatthevalueyousetforthekeep-alivetimeisgreaterthantheidletimeoutsettingonyourloadbalancer.

Cross-ZoneLoadBalancingToensurethatrequesttrafficisroutedevenlyacrossallback-endinstancesforyourloadbalancer,regardlessoftheAvailabilityZoneinwhichtheyarelocated,youshouldenablecross-zoneloadbalancingonyourloadbalancer.Cross-zoneloadbalancingreducestheneedtomaintainequivalentnumbersofback-endinstancesineachAvailabilityZoneandimprovesyourapplication’sabilitytohandlethelossofoneormoreback-endinstances.However,itisstillrecommendedthatyoumaintainapproximatelyequivalentnumbersofinstancesineachAvailabilityZoneforhigherfaulttolerance.

ForenvironmentswhereclientscacheDNSlookups,incomingrequestsmightfavoroneoftheAvailabilityZones.Usingcross-zoneloadbalancing,thisimbalanceintherequestloadisspreadacrossallavailableback-endinstancesintheregion,reducingtheimpactofmisconfiguredclients.

ConnectionDrainingYoushouldenableconnectiondrainingtoensurethattheloadbalancerstopssendingrequeststoinstancesthatarederegisteringorunhealthy,whilekeepingtheexistingconnectionsopen.Thisenablestheloadbalancertocompletein-flightrequestsmadetotheseinstances.

Whenyouenableconnectiondraining,youcanspecifyamaximumtimefortheloadbalancertokeepconnectionsalivebeforereportingtheinstanceasderegistered.Themaximumtimeoutvaluecanbesetbetween1and3,600seconds(thedefaultis300seconds).Whenthemaximumtimelimitisreached,theloadbalancerforciblyclosesconnectionstothederegisteringinstance.

ProxyProtocolWhenyouuseTCPorSSLforbothfront-endandback-endconnections,yourloadbalancerforwardsrequeststotheback-endinstanceswithoutmodifyingtherequestheaders.IfyouenableProxyProtocol,ahuman-readableheaderisaddedtotherequestheaderwithconnectioninformationsuchasthesourceIPaddress,destinationIPaddress,andportnumbers.Theheaderisthensenttotheback-endinstanceaspartoftherequest.

BeforeusingProxyProtocol,verifythatyourloadbalancerisnotbehindaproxyserverwithProxyProtocolenabled.IfProxyProtocolisenabledonboththeproxyserverandtheloadbalancer,theloadbalanceraddsanotherheadertotherequest,whichalreadyhasaheaderfromtheproxyserver.Dependingonhowyourback-endinstanceisconfigured,thisduplicationmightresultinerrors.

StickySessionsBydefault,aloadbalancerrouteseachrequestindependentlytotheregisteredinstancewith

thesmallestload.However,youcanusethestickysessionfeature(alsoknownassessionaffinity),whichenablestheloadbalancertobindauser’ssessiontoaspecificinstance.Thisensuresthatallrequestsfromtheuserduringthesessionaresenttothesameinstance.

Thekeytomanagingstickysessionsistodeterminehowlongyourloadbalancershouldconsistentlyroutetheuser’srequesttothesameinstance.Ifyourapplicationhasitsownsessioncookie,youcanconfigureElasticLoadBalancingsothatthesessioncookiefollowsthedurationspecifiedbytheapplication’ssessioncookie.Ifyourapplicationdoesnothaveitsownsessioncookie,youcanconfigureElasticLoadBalancingtocreateasessioncookiebyspecifyingyourownstickinessduration.ElasticLoadBalancingcreatesacookienamedAWSELBthatisusedtomapthesessiontotheinstance.

HealthChecksElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.ThestatusoftheinstancesthatarehealthyatthetimeofthehealthcheckisInService.ThestatusofanyinstancesthatareunhealthyatthetimeofthehealthcheckisOutOfService.Theloadbalancerperformshealthchecksonallregisteredinstancestodeterminewhethertheinstanceisinahealthystateoranunhealthystate.Ahealthcheckisaping,aconnectionattempt,orapagethatischeckedperiodically.Youcansetthetimeintervalbetweenhealthchecksandalsotheamountoftimetowaittorespondincasethehealthcheckpageincludesacomputationalaspect.Finally,youcansetathresholdforthenumberofconsecutivehealthcheckfailuresbeforeaninstanceismarkedasunhealthy.

UpdatesBehindanElasticLoadBalancingLoadBalancer

Long-runningapplicationswilleventuallyneedtobemaintainedandupdatedwithanewerversionoftheapplication.WhenusingAmazonEC2instancesrunningbehindanElasticLoadBalancingloadbalancer,youmayderegistertheselong-runningAmazonEC2instancesassociatedwithaloadbalancermanuallyandthenregisternewlylaunchedAmazonEC2instancesthatyouhavestartedwiththenewupdatesinstalled.

AmazonCloudWatchAmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.

Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.

Youcanspecifyparametersforametricoveratimeperiodandconfigurealarmsandautomatedactionswhenathresholdisreached.AmazonCloudWatchsupportsmultipletypesofactionssuchassendinganotificationtoanAmazonSimpleNotificationService(AmazonSNS)topicorexecutinganAutoScalingpolicy.

AmazonCloudWatchofferseitherbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforanadditionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.

AmazonCloudWatchsupportsmonitoringandspecificmetricsformostAWSCloudservices,including:AutoScaling,AmazonCloudFront,AmazonCloudSearch,AmazonDynamoDB,AmazonEC2,AmazonEC2ContainerService(AmazonECS),AmazonElastiCache,AmazonElasticBlockStore(AmazonEBS),ElasticLoadBalancing,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,AmazonKinesisStreams,AmazonKinesisFirehose,AWSLambda,AmazonMachineLearning,AWSOpsWorks,AmazonRedshift,AmazonRelationalDatabaseService(AmazonRDS),AmazonRoute53,AmazonSNS,AmazonSimpleQueueService(AmazonSQS),AmazonS3,AWSSimpleWorkflowService(AmazonSWF),AWSStorageGateway,AWSWAF,andAmazonWorkSpaces.

ReadAlert

YoumayhaveanapplicationthatleveragesAmazonDynamoDB,andyouwanttoknowwhenreadrequestsreachacertainthresholdandalertyourselfwithanemail.YoucandothisbyusingProvisionedReadCapacityUnitsfortheAmazonDynamoDBtableforwhichyouwanttosetanalarm.Yousimplysetathresholdvalueduringanumberofconsecutiveperiodsandthenspecifyemailasthenotificationtype.Now,whenthethresholdissustainedoverthenumberofperiods,yourspecifiedemailwillalertyoutothereadactivity.

AmazonCloudWatchmetricscanberetrievedbyperformingaGETrequest.Whenyouusedetailedmonitoring,youcanalsoaggregatemetricsacrossalengthoftimeyouspecify.AmazonCloudWatchdoesnotaggregatedataacrossregionsbutcanaggregateacross

AvailabilityZoneswithinaregion.

AWSprovidesarichsetofmetricsincludedwitheachservice,butyoucanalsodefinecustommetricstomonitorresourcesandeventsAWSdoesnothavevisibilityinto—forexample,AmazonEC2instancememoryconsumptionanddiskmetricsthatarevisibletotheoperatingsystemoftheAmazonEC2instancebutnotvisibletoAWSorapplication-specificthresholdsrunningoninstancesthatarenotknowntoAWS.AmazonCloudWatchsupportsanApplicationProgrammingInterface(API)thatallowsprogramsandscriptstoPUTmetricsintoAmazonCloudWatchasname-valuepairsthatcanthenbeusedtocreateeventsandtriggeralarmsinthesamemannerasthedefaultAmazonCloudWatchmetrics.

AmazonCloudWatchLogscanbeusedtomonitor,store,andaccesslogfilesfromAmazonEC2instances,AWSCloudTrail,andothersources.Youcanthenretrievethelogdataandmonitorinrealtimeforevents—forexample,youcantrackthenumberoferrorsinyourapplicationlogsandsendanotificationifanerrorrateexceedsathreshold.AmazonCloudWatchLogscanalsobeusedtostoreyourlogsinAmazonS3orAmazonGlacier.Logscanberetainedindefinitelyoraccordingtoanagingpolicythatwilldeleteolderlogsasnolongerneeded.

ACloudWatchLogsagentisavailablethatprovidesanautomatedwaytosendlogdatatoCloudWatchLogsforAmazonEC2instancesrunningAmazonLinuxorUbuntu.YoucanusetheAmazonCloudWatchLogsagentinstalleronanexistingAmazonEC2instancetoinstallandconfiguretheCloudWatchLogsagent.Afterinstallationiscomplete,theagentconfirmsthatithasstartedanditstaysrunninguntilyoudisableit.

AmazonCloudWatchhassomelimitsthatyoushouldkeepinmindwhenusingtheservice.EachAWSaccountislimitedto5,000alarmsperAWSaccount,andmetricsdataisretainedfortwoweeksbydefault(atthetimeofthiswriting).Ifyouwanttokeepthedatalonger,youwillneedtomovethelogstoapersistentstorelikeAmazonS3orAmazonGlacier.YoushouldfamiliarizeyourselfwiththelimitsforAmazonCloudWatchintheAmazonCloudWatchDeveloperGuide.

AutoScalingAdistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.Examplesincludeawebsiteforaspecificsportingevent,anend-of-monthdata-inputsystem,aretailshoppingsitesupportingflashsales,amusicartistwebsiteduringthereleaseofnewsongs,acompanywebsiteannouncingsuccessfulearnings,oranightlyprocessingruntocalculatedailyactivity.

AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.

EmbracetheSpike

Manywebapplicationshaveunplannedloadincreasesbasedoneventsoutsideofyourcontrol.Forexample,yourcompanymaygetmentionedonapopularblogortelevisionprogramdrivingmanymorepeopletovisityoursitethanexpected.SettingupAutoScalinginadvancewillallowyoutoembraceandsurvivethiskindoffastincreaseinthenumberofrequests.AutoScalingwillscaleupyoursitetomeettheincreaseddemandandthenscaledownwhentheeventsubsides.

AutoScalingPlansAutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.

MaintainCurrentInstanceLevelsYoucanconfigureyourAutoScalinggrouptomaintainaminimumorspecifiednumberofrunninginstancesatalltimes.Tomaintainthecurrentinstancelevels,AutoScalingperformsaperiodichealthcheckonrunninginstanceswithinanAutoScalinggroup.WhenAutoScalingfindsanunhealthyinstance,itterminatesthatinstanceandlaunchesanewone.

SteadystateworkloadsthatneedaconsistentnumberofAmazonEC2instancesatalltimescanuseAutoScalingtomonitorandkeepthatspecificnumberofAmazonEC2instancesrunning.

ManualScalingManualscalingisthemostbasicwaytoscaleyourresources.Youonlyneedtospecifythechangeinthemaximum,minimum,ordesiredcapacityofyourAutoScalinggroup.Auto

Scalingmanagestheprocessofcreatingorterminatinginstancestomaintaintheupdatedcapacity.

Manualscalingoutcanbeveryusefultoincreaseresourcesforaninfrequentevent,suchasthereleaseofanewgameversionthatwillbeavailablefordownloadandrequireauserregistration.Forextremelylarge-scaleevents,eventheElasticLoadBalancingloadbalancerscanbepre-warmedbyworkingwithyourlocalsolutionsarchitectorAWSSupport.

ScheduledScalingSometimesyouknowexactlywhenyouwillneedtoincreaseordecreasethenumberofinstancesinyourgroup,simplybecausethatneedarisesonapredictableschedule.Examplesincludeperiodiceventssuchasend-of-month,end-of-quarter,orend-of-yearprocessing,andalsootherpredictable,recurringevents.Scheduledscalingmeansthatscalingactionsareperformedautomaticallyasafunctionoftimeanddate.

Recurringeventssuchasend-of-month,quarter,oryearprocessing,orscheduledandrecurringautomatedloadandperformancetesting,canbeanticipatedandAutoScalingcanberampedupappropriatelyatthetimeofthescheduledevent.

DynamicScalingDynamicscalingletsyoudefineparametersthatcontroltheAutoScalingprocessinascalingpolicy.Forexample,youmightcreateapolicythataddsmoreAmazonEC2instancestothewebtierwhenthenetworkbandwidth,measuredbyAmazonCloudWatch,reachesacertainthreshold.

AutoScalingComponentsAutoScalinghasseveralcomponentsthatneedtobeconfiguredtoworkproperly:alaunchconfiguration,anAutoScalinggroup,andanoptionalscalingpolicy.

LaunchConfigurationAlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstances,anditiscomposedoftheconfigurationname,AmazonMachineImage(AMI),AmazonEC2instancetype,securitygroup,andinstancekeypair.EachAutoScalinggroupcanhaveonlyonelaunchconfigurationatatime.

TheCLIcommandthatfollowswillcreatealaunchconfigurationwiththefollowingattributes:

Name:myLC

AMI:ami-0535d66c

Instancetype:m3.medium

Securitygroups:sg-f57cde9d

Instancekeypair:myKeyPair

>awsautoscalingcreate-launch-configuration-–launch-configuration-namemyLC--

image-idami-0535d66c--instance-typem3.medium--security-groupssg-f57cde9d--

key-namemyKeyPair

SecuritygroupsforinstanceslaunchedinEC2-Classicmaybereferencedbysecuritygroupnamesuchas“SSH”or“Web”ifthatiswhattheyarenamed,oryoucanreferencethesecuritygroupIDs,suchassg-f57cde9d.IfyoulaunchedtheinstancesinAmazonVPC,whichisrecommended,youmustusethesecuritygroupIDstoreferencethesecuritygroupsyouwantassociatedwiththeinstancesinanAutoScalinglaunchconfiguration.

Thedefaultlimitforlaunchconfigurationsis100perregion.Ifyouexceedthislimit,thecalltocreate-launch-configurationwillfail.Youmayviewandupdatethislimitbyrunningdescribe-account-limitsatthecommandline,asshownhere.

>awsautoscalingdescribe-account-limits

AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.WhenbuildingmorecomplexarchitectureswithAWS,itisimportanttokeepinmindtheservicelimitsforallAWSCloudservicesyouareusing.

WhenyourunacommandusingtheCLIanditfails,checkyoursyntaxfirst.Ifthatchecksout,verifythelimitsforthecommandyouareattempting,andchecktoseethatyouhavenotexceededalimit.Somelimitscanberaisedandusuallydefaultedtoareasonablevaluetolimitaracecondition,anerrantscriptrunninginaloop,orothersimilarautomationthatmightcauseunintendedhighusageandbillingofAWSresources.AWSservicelimitscanbeviewedintheAWSGeneralReferenceGuideunderAWSServiceLimits.YoucanraiseyourlimitsbycreatingasupportcaseattheAWSSupportCenteronlineandthenchoosingServiceLimitIncreaseunderRegarding.Thenfillintheappropriateserviceandlimittoincreasevalueintheonlineform.

AutoScalingGroupAnAutoScalinggroupisacollectionofAmazonEC2instancesmanagedbytheAutoScalingservice.EachAutoScalinggroupcontainsconfigurationoptionsthatcontrolwhenAutoScalingshouldlaunchnewinstancesandterminateexistinginstances.AnAutoScalinggroupmustcontainanameandaminimumandmaximumnumberofinstancesthatcanbeinthegroup.Youcanoptionallyspecifydesiredcapacity,whichisthenumberofinstancesthatthegroupmusthaveatalltimes.Ifyoudon’tspecifyadesiredcapacity,thedefaultdesiredcapacityistheminimumnumberofinstancesthatyouspecify.

TheCLIcommandthatfollowswillcreateanAutoScalinggroupthatreferencesthepreviouslaunchconfigurationandincludesthefollowingspecifications:

Name:myASG

Launchconfiguration:myLC

AvailabilityZones:us-east-1aandus-east-1c

Minimumsize:1

Desiredcapacity:3

Maximumcapacity:10

Loadbalancers:myELB

>awsautoscalingcreate-auto-scaling-group--auto–scaling-group-namemyASG--

launch-configuration-namemyLC--availability-zonesus-east-1a,us-east-1c--min-

size1--max-size10--desired-capacity3--load-balancer-namesmyELB

Figure5.1depictsdeployedAWSresourcesafteraloadbalancernamedmyELBiscreatedandthelaunchconfigurationmyLCandAutoScalingGroupmyASGaresetup.

FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer

AnAutoScalinggroupcanuseeitherOn-DemandorSpotInstancesastheAmazonEC2instancesitmanages.On-Demandisthedefault,butSpotInstancescanbeusedbyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.YoumaychangethebidpricebycreatinganewlaunchconfigurationwiththenewbidpriceandthenassociatingitwithyourAutoScalinggroup.Ifinstancesareavailableatorbelowyourbidprice,theywillbelaunchedinyourAutoScalinggroup.SpotInstancesinanAutoScalinggroupfollowthesameguidelinesasSpot

InstancesoutsideanAutoScalinggroupandrequireapplicationsthatareflexibleandcantolerateAmazonEC2instancesthatareterminatedwithshortnotice,forexample,whentheSpotpricerisesabovethebidpriceyousetinthelaunchconfiguration.AlaunchconfigurationcanreferenceOn-DemandInstancesorSpotInstances,butnotboth.

SpotOn!

AutoScalingsupportsusingcost-effectiveSpotInstances.Thiscanbeveryusefulwhenyouarehostingsiteswhereyouwanttoprovideadditionalcomputecapacitybutarepriceconstrained.Anexampleisa“freemium”sitemodelwhereyoumayoffersomebasicfunctionalitytousersforfreeandadditionalfunctionalityforpremiumuserswhopayforuse.SpotInstancescanbeusedforprovidingthebasicfunctionalitywhenavailablebyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.

ScalingPolicyYoucanassociateAmazonCloudWatchalarmsandscalingpolicieswithanAutoScalinggrouptoadjustAutoScalingdynamically.Whenathresholdiscrossed,AmazonCloudWatchsendsalarmstotriggerchanges(scalinginorout)tothenumberofAmazonEC2instancescurrentlyreceivingtrafficbehindaloadbalancer.AftertheAmazonCloudWatchalarmsendsamessagetotheAutoScalinggroup,AutoScalingexecutestheassociatedpolicytoscaleyourgroup.ThepolicyisasetofinstructionsthattellsAutoScalingwhethertoscaleout,launchingnewAmazonEC2instancesreferencedintheassociatedlaunchconfiguration,ortoscaleinandterminateinstances.

Thereareseveralwaystoconfigureascalingpolicy:Youcanincreaseordecreasebyaspecificnumberofinstances,suchasaddingtwoinstances;youcantargetaspecificnumberofinstances,suchasamaximumoffivetotalAmazonEC2instances;oryoucanadjustbasedonapercentage.Youcanalsoscalebystepsandincreaseordecreasethecurrentcapacityofthegroupbasedonasetofscalingadjustmentsthatvarybasedonthesizeofthealarmthresholdtrigger.

YoucanassociatemorethanonescalingpolicywithanAutoScalinggroup.Forexample,youcancreateapolicyusingthetriggerforCPUutilization,calledCPULoad,andtheCloudWatchmetricCPUUtilizationtospecifyscalingoutifCPUutilizationisgreaterthan75percentfortwominutes.YoucouldattachanotherpolicytothesameAutoScalinggrouptoscaleinifCPUutilizationislessthan40percentfor20minutes.

ThefollowingCLIcommandswillcreatethescalingpolicyjustdescribed.

>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG--policy-name

CPULoadScaleOut--scaling-adjustment1--adjustment-typeChangeInCapacity--

cooldown30>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG-

-policy-nameCPULoadScaleIn--scaling-adjustment-1--adjustment-type

ChangeInCapacity--cooldown600

ThefollowingCLIcommandswillassociateAmazonCloudWatchalarmsforscalingoutandscalinginwiththescalingpolicy,asshowninFigure5.2.Inthisexample,theAmazonCloudWatchalarmsreferencethescalingpolicybyAmazonResourceName(ARN).

FIGURE5.2AutoScalinggroupwithpolicy

>awscloudwatchput-metric-alarm--alarmnamecapacityAdd--metric-name

CPUUtilization--namespaceAWS/EC2--statisticAverage–-period300--threshold75

--comparison-operatorGreaterThanOrEqualToThreshold--dimensions

"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:12345678-90ab-cdef-

1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleOut--unitPercent

>awscloudwatchput-metric-alarm--alarmnamecapacityReduce--metric-name

CPUUtilization--namespaceAWS/EC2--statisticAverage--period1200--threshold40

--comparison-operatorGreaterThanOrEqualToThreshold--dimensions

"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions

arn:aws:autoscaling:us-east-1:123456789011:scalingPolicy:11345678-90ab-cdef-

1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleIn--unitPercent

IfthescalingpolicydefinedinthepreviousparagraphisassociatedwiththeAutoScalinggroupnamedmyASG,andtheCPUutilizationisover75percentformorethanfiveminutes,asshowninFigure5.3,anewAmazonEC2instancewillbelaunchedandattachedtotheloadbalancernamedmyELB.

FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout

ArecommendedbestpracticeistoscaleoutquicklyandscaleinslowlysoyoucanrespondtoburstsorspikesbutavoidinadvertentlyterminatingAmazonEC2instancestooquickly,onlyhavingtolaunchmoreAmazonEC2instancesiftheburstissustained.AutoScalingalsosupportsacooldownperiod,whichisaconfigurablesettingthatdetermineswhentosuspendscalingactivitiesforashorttimeforanAutoScalinggroup.

IfyoustartanAmazonEC2instance,youwillbebilledforonefullhourofrunningtime.Partialinstancehoursconsumedarebilledasfullhours.Thismeansthatifyouhaveapermissivescalingpolicythatlaunches,terminates,andrelaunchesmanyinstancesanhour,youarebillingafullhourforeachandeveryinstanceyoulaunch,evenifyouterminatesomeofthoseinstancesinlessthanhour.ArecommendedbestpracticeforcosteffectivenessistoscaleoutquicklywhenneededbutscaleinmoreslowlytoavoidhavingtorelaunchnewandseparateAmazonEC2instancesforaspikeinworkloaddemandthatfluctuatesupanddownwithinminutesbutgenerallycontinuestoneedmoreresourceswithinanhour.

Scaleoutquickly;scaleinslowly.

ItisimportanttoconsiderbootstrappingforAmazonEC2instanceslaunchedusingAutoScaling.IttakestimetoconfigureeachnewlylaunchedAmazonEC2instancebeforetheinstanceishealthyandcapableofacceptingtraffic.Instancesthatstartandareavailableforloadfastercanjointhecapacitypoolmorequickly.Furthermore,instancesthataremorestatelessinsteadofstatefulwillmoregracefullyenterandexitanAutoScalinggroup.

RollingOutaPatchatScale

InlargedeploymentsofAmazonEC2instances,AutoScalingcanbeusedtomakerollingoutapatchtoyourinstanceseasy.ThelaunchconfigurationassociatedwiththeAutoScalinggroupmaybemodifiedtoreferenceanewAMIandevenanewAmazonEC2instanceifneeded.Thenyoucanderegisterorterminateinstancesoneatatimeorinsmallgroups,andthenewAmazonEC2instanceswillreferencethenewpatchedAMI.

SummaryThischapterintroducedthreeservices:

ElasticLoadBalancing,whichisusedtodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZonestoachievegreaterlevelsoffaulttoleranceforyourapplications.

AmazonCloudWatch,whichmonitorsresourcesandapplications.AmazonCloudWatchisusedtocollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestoresourcesbeingmonitoredbasedonrulesyoudefine.

AutoScaling,whichallowsyoutoautomaticallyscaleyourAmazonEC2capacityoutandinusingcriteriathatyoudefine.

ThesethreeservicescanbeusedveryeffectivelytogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.

ExamEssentialsUnderstandwhattheElasticLoadBalancingserviceprovides.ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonEC2instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.

KnowthetypesofloadbalancerstheElasticLoadBalancingserviceprovidesandwhentouseeachone.AnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.

AninternalloadbalancerisusedtoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.

AnHTTPSloadbalancerisusedwhenyouwanttoencryptdatabetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessionsandforconnectionsbetweenyourloadbalancerandyourback-endinstances.

KnowthetypesoflistenerstheElasticLoadBalancingserviceprovidesandtheusecaseandrequirementsforusingeachone.Alistenerisaprocessthatchecksforconnectionrequests.Itisconfiguredwithaprotocolandaportforfront-end(clienttoloadbalancer)connectionsandaprotocolandaportforback-end(loadbalancertoback-endinstance)connections.

UnderstandtheconfigurationoptionsforElasticLoadBalancing.ElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.

KnowwhatanElasticLoadBalancinghealthcheckisandwhyitisimportant.ElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.

UnderstandwhattheamazonCloudWatchserviceprovidesandwhatusecasesthereareforusingit.AmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.

Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.

Knowthedifferencesbetweenthetwotypesofmonitoring—basicanddetailed—forAmazonCloudWatch.AmazonCloudWatchoffersbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforan

additionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.

UnderstandAutoScalingandwhyitisanimportantadvantageoftheAWSCloud.Adistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.

KnowwhenandwhytouseAutoScaling.AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.

KnowthesupportedAutoScalingplans.AutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.TheAutoScalingplansarenamedMaintainCurrentInstantLevels,ManualScaling,ScheduledScaling,andDynamicScaling.

UnderstandhowtobuildanAutoScalinglaunchconfigurationandanAutoScalinggroupandwhateachisusedfor.AlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstancesandiscomposedoftheconfigurationname,AMI,AmazonEC2instancetype,securitygroup,andinstancekeypair.

Knowwhatascalingpolicyisandwhatusecasestouseitfor.AscalingpolicyisusedbyAutoScalingwithCloudWatchalarmstodeterminewhenyourAutoScalinggroupshouldscaleoutorscalein.EachCloudWatchalarmwatchesasinglemetricandsendsmessagestoAutoScalingwhenthemetricbreachesathresholdthatyouspecifyinyourpolicy.

UnderstandhowElasticLoadBalancing,amazonCloudWatch,andAutoScalingareusedtogethertoprovidedynamicscaling.ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingcanbeusedtogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.

ExercisesForassistanceincompletingthefollowingexercises,refertotheElasticLoadBalancingDeveloperGuidelocatedathttp://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-

balancing.html,theAmazonCloudWatchDeveloperGuideathttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html

andtheAutoScalingUserGuideathttp://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html.

EXERCISE5.1

CreateanElasticLoadBalancingLoadBalancerInthisexercise,youwillusetheAWSManagementConsoletocreateanElasticLoadBalancingloadbalancer.

1. LaunchanAmazonEC2instanceusinganAMIwithawebserveronit,orinstallandconfigureawebserver.

2. CreateastaticpagetodisplayandahealthcheckpagethatreturnsHTTP200.ConfiguretheAmazonEC2instancetoaccepttrafficoverport80.

3. RegistertheAmazonEC2instancewiththeElasticLoadBalancingloadbalancer,andconfigureittousethehealthcheckpagetoevaluatethehealthoftheinstance.

EXERCISE5.2

UseanAmazonCloudWatchMetric1. LaunchanAmazonEC2instance.

2. UseanexistingAmazonCloudWatchmetrictomonitoravalue.

EXERCISE5.3

CreateaCustomAmazonCloudWatchMetric1. CreateacustomAmazonCloudWatchmetricformemoryconsumption.

2. UsetheCLItoPUTvaluesintothemetric.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-balancing.html

http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html

http://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html

EXERCISE5.4

CreateaLaunchConfigurationandAutoScalingGroup1. UsingtheAWSManagementConsole,createalaunchconfigurationusinganexistingAMI.

2. CreateanAutoScalinggroupusingthislaunchconfigurationwithagroupsizeoffourandspanningtwoAvailabilityZones.Donotuseascalingpolicy.Keepthegroupatitsinitialsize.

3. ManuallyterminateanAmazonEC2instance,andobserveAutoScalinglaunchanewAmazonEC2instance.

EXERCISE5.5

CreateaScalingPolicy1. CreateanAmazonCloudWatchmetricandalarmforCPUutilizationusingtheAWSManagementConsole.

2. UsingtheAutoScalinggroupfromExercise5.4,edittheAutoScalinggrouptoincludeapolicythatusestheCPUutilizationalarm.

3. DriveCPUutilizationonthemonitoredAmazonEC2instance(s)uptoobserveAutoScaling.

EXERCISE5.6

CreateaWebApplicationThatScales1. CreateasmallwebapplicationarchitectedwithanElasticLoadBalancingloadbalancer,anAutoScalinggroupspanningtwoAvailabilityZonesthatusesanAmazonCloudWatchmetric,andanalarmattachedtoascalingpolicyusedbytheAutoScalinggroup.

2. VerifythatAutoScalingisoperatingcorrectlybyremovinginstancesanddrivingthemetricupanddowntoforceAutoScaling.

ReviewQuestions1. WhichofthefollowingarerequiredelementsofanAutoScalinggroup?(Choose2answers)

A. Minimumsize

B. Healthchecks

C. Desiredcapacity

D. Launchconfiguration

2. YouhavecreatedanElasticLoadBalancingloadbalancerlisteningonport80,andyouregistereditwithasingleAmazonElasticComputeCloud(AmazonEC2)instancealsolisteningonport80.Aclientmakesarequesttotheloadbalancerwiththecorrectprotocolandportfortheloadbalancer.Inthisscenario,howmanyconnectionsdoesthebalancermaintain?

A. 1

B. 2

C. 3

D. 4

3. HowlongdoesAmazonCloudWatchkeepmetricdata?

A. 1day

B. 2days

C. 1week

D. 2weeks

4. WhichofthefollowingaretheminimumrequiredelementstocreateanAutoScalinglaunchconfiguration?

A. Launchconfigurationname,AmazonMachineImage(AMI),andinstancetype

B. Launchconfigurationname,AMI,instancetype,andkeypair

C. Launchconfigurationname,AMI,instancetype,keypair,andsecuritygroup

D. Launchconfigurationname,AMI,instancetype,keypair,securitygroup,andblockdevicemapping

5. Youareresponsiblefortheapplicationloggingsolutionforyourcompany’sexistingapplicationsrunningonmultipleAmazonEC2instances.WhichofthefollowingisthebestapproachforaggregatingtheapplicationlogswithinAWS?

A. AmazonCloudWatchcustommetrics

B. AmazonCloudWatchLogsAgent

C. AnElasticLoadBalancinglistener

D. AninternalElasticLoadBalancingloadbalancer

6. WhichofthefollowingmustbeconfiguredonanElasticLoadBalancingloadbalancertoacceptincomingtraffic?

A. Aport

B. Anetworkinterface

C. Alistener

D. Aninstance

7. YoucreateanAutoScalinggroupinanewregionthatisconfiguredwithaminimumsizevalueof10,amaximumsizevalueof100,andadesiredcapacityvalueof50.However,younoticethat30oftheAmazonElasticComputeCloud(AmazonEC2)instanceswithintheAutoScalinggroupfailtolaunch.Whichofthefollowingisthecauseofthisbehavior?

A. YoucannotdefineanAutoScalinggrouplargerthan20.

B. TheAutoScalinggroupmaximumvaluecannotbemorethan20.

C. YoudidnotattachanElasticLoadBalancingloadbalancertotheAutoScalinggroup.

D. YouhavenotraisedyourdefaultAmazonEC2capacity(20)forthenewregion.

8. YouwanttohostmultipleHypertextTransferProtocolSecure(HTTPS)websitesonafleetofAmazonEC2instancesbehindanElasticLoadBalancingloadbalancerwithasingleX.509certificate.HowmustyouconfiguretheSecureSocketsLayer(SSL)certificatesothatclientsconnectingtotheloadbalancerarenotpresentedwithawarningwhentheyconnect?

A. CreateoneSSLcertificatewithaSubjectAlternativeName(SAN)valueforeachwebsitename.

B. CreateoneSSLcertificatewiththeServerNameIndication(SNI)valuechecked.

C. CreatemultipleSSLcertificateswithaSANvalueforeachwebsitename.

D. CreateSSLcertificatesforeachAvailabilityZonewithaSANvalueforeachwebsitename.

9. YourwebapplicationfrontendconsistsofmultipleAmazonComputeCloud(AmazonEC2)instancesbehindanElasticLoadBalancingloadbalancer.YouhaveconfiguredtheloadbalancertoperformhealthchecksontheseAmazonEC2instances.Ifaninstancefailstopasshealthchecks,whichstatementwillbetrue?

A. Theinstanceisreplacedautomaticallybytheloadbalancer.

B. Theinstanceisterminatedautomaticallybytheloadbalancer.

C. Theloadbalancerstopssendingtraffictotheinstancethatfaileditshealthcheck.

D. Theinstanceisquarantinedbytheloadbalancerforrootcauseanalysis.

10. InthebasicmonitoringpackageforAmazonElasticComputeCloud(AmazonEC2),whatAmazonCloudWatchmetricsareavailable?

A. Webservervisiblemetricssuchasnumberoffailedtransactionrequests

B. Operatingsystemvisiblemetricssuchasmemoryutilization

C. Databasevisiblemetricssuchasnumberofconnections

D. HypervisorvisiblemetricssuchasCPUutilization

11. Acellphonecompanyisrunningdynamic-contenttelevisioncommercialsforacontest.Theywanttheirwebsitetohandletrafficspikesthatcomeafteracommercialairs.Thewebsiteisinteractive,offeringpersonalizedcontenttoeachvisitorbasedonlocation,purchasehistory,andthecurrentcommercialairing.WhicharchitecturewillconfigureAutoScalingtoscaleouttorespondtospikesofdemand,whileminimizingcostsduringquietperiods?

A. SettheminimumsizeoftheAutoScalinggroupsothatitcanhandlehightrafficvolumeswithoutneedingtoscaleout.

B. CreateanAutoScalinggrouplargeenoughtohandlepeaktrafficloads,andthenstopsomeinstances.ConfigureAutoScalingtoscaleoutwhentrafficincreasesusingthestoppedinstances,sonewcapacitywillcomeonlinequickly.

C. ConfigureAutoScalingtoscaleoutastrafficincreases.ConfigurethelaunchconfigurationtostartnewinstancesfromapreconfiguredAmazonMachineImage(AMI).

D. UseAmazonCloudFrontandAmazonSimpleStorageService(AmazonS3)tocachechangingcontent,withtheAutoScalinggroupsetastheorigin.ConfigureAutoScalingtohavesufficientinstancesnecessarytoinitiallypopulateCloudFrontandAmazonElastiCache,andthenscaleinafterthecacheisfullypopulated.

12. Foranapplicationrunningintheap-northeast-1regionwiththreeAvailabilityZones(ap-northeast-1a,ap-northeast-1b,andap-northeast-1c),whichinstancedeploymentprovideshighavailabilityfortheapplicationthatnormallyrequiresninerunningAmazonElasticComputeCloud(AmazonEC2)instancesbutcanrunonaminimumof65percentcapacitywhileAutoScalinglaunchesreplacementinstancesintheremainingAvailabilityZones?

A. Deploytheapplicationonfourserversinap-northeast-1aandfiveserversinap-northeast-1b,andkeepfivestoppedinstancesinap-northeast-1aasreserve.

B. Deploytheapplicationonthreeserversinap-northeast-1a,threeserversinap-northeast-1b,andthreeserversinap-northeast-1c.

C. Deploytheapplicationonsixserversinap-northeast-1bandthreeserversinap-northeast-1c.

D. Deploytheapplicationonnineserversinap-northeast-1b,andkeepninestoppedinstancesinap-northeast-1aasreserve.

13. WhichofthefollowingarecharacteristicsoftheAutoScalingserviceonAWS?(Choose3answers)

A. Sendstraffictohealthyinstances

B. RespondstochangingconditionsbyaddingorterminatingAmazonElasticCompute

Cloud(AmazonEC2)instances

C. Collectsandtracksmetricsandsetsalarms

D. Deliverspushnotifications

E. LaunchesinstancesfromaspecifiedAmazonMachineImage(AMI)

F. EnforcesaminimumnumberofrunningAmazonEC2instances

14. WhyisthelaunchconfigurationreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup?

A. ItallowsyoutochangetheAmazonElasticComputeCloud(AmazonEC2)instancetypeandAmazonMachineImage(AMI)withoutdisruptingtheAutoScalinggroup.

B. ItfacilitatesrollingoutapatchtoanexistingsetofinstancesmanagedbyanAutoScalinggroup.

C. ItallowsyoutochangesecuritygroupsassociatedwiththeinstanceslaunchedwithouthavingtomakechangestotheAutoScalinggroup.

D. Alloftheabove

E. Noneoftheabove

15. AnAutoScalinggroupmayuse:(Choose2answers)

A. On-DemandInstances

B. Stoppedinstances

C. SpotInstances

D. On-premisesinstances

E. AlreadyrunninginstancesiftheyusethesameAmazonMachineImage(AMI)astheAutoScalinggroup’slaunchconfigurationandarenotalreadypartofanotherAutoScalinggroup

16. AmazonCloudWatchsupportswhichtypesofmonitoringplans?(Choose2answers)

A. Basicmonitoring,whichisfree

B. Basicmonitoring,whichhasanadditionalcost

C. Adhocmonitoring,whichisfree

D. Adhocmonitoring,whichhasanadditionalcost

E. Detailedmonitoring,whichisfree

F. Detailedmonitoring,whichhasanadditionalcost

17. ElasticLoadBalancinghealthchecksmaybe:(Choose3answers)

A. Aping

B. Akeypairverification

C. Aconnectionattempt

D. Apagerequest

E. AnAmazonElasticComputeCloud(AmazonEC2)instancestatuscheck

18. WhenanAmazonElasticComputeCloud(AmazonEC2)instanceregisteredwithanElasticLoadBalancingloadbalancerusingconnectiondrainingisderegisteredorunhealthy,whichofthefollowingwillhappen?(Choose2answers)

A. Immediatelycloseallexistingconnectionstothatinstance.

B. Keeptheconnectionsopentothatinstance,andattempttocompletein-flightrequests.

C. Redirecttherequeststoauser-definederrorpagelike“Oopsthisisembarrassing”or“UnderConstruction.”

D. Forciblycloseallconnectionstothatinstanceafteratimeoutperiod.

E. Leavetheconnectionsopenaslongastheloadbalancerisrunning.

19. ElasticLoadBalancingsupportswhichofthefollowingtypesofloadbalancers?(Choose3answers)

A. Cross-region

B. Internet-facing

C. Interim

D. Itinerant

E. Internal

F. HypertextTransferProtocolSecure(HTTPS)usingSecureSocketsLayer(SSL)

20. AutoScalingsupportswhichofthefollowingplansforAutoScalinggroups?(Choose3answers)

A. Predictive

B. Manual

C. Preemptive

D. Scheduled

E. Dynamic

F. End-userrequestdriven

G. Optimistic

Chapter6AWSIdentityandAccessManagement(IAM)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,ElasticBeanstalk,CloudFormation,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.


ConfigureIAMpoliciesandbestpractices




AWSIdentityandAccessManagement(IAM)

IntroductionInthischapter,youwilllearnhowAWSIdentityandAccessManagement(IAM)securesinteractionswiththeAWSresourcesinyouraccount,including:

WhichprincipalsinteractwithAWSthroughtheAWSManagementConsole,CommandLineInterface(CLI),andSoftwareDevelopmentKits(SDKs)

Howeachprincipalisauthenticated

HowIAMpoliciesarewrittentospecifytheaccessprivilegesofprincipals

HowIAMpoliciesareassociatedwithprincipals

HowtosecureyourinfrastructurefurtherthroughMulti-FactorAuthentication(MFA)andkeyrotation

HowIAMrolescanbeusedtodelegatepermissionsandfederateusers

Howtoresolvemultiple,possiblyconflictingIAMpermissions

IAMisapowerfulservicethatallowsyoutocontrolhowpeopleandprogramsareallowedtomanipulateyourAWSinfrastructure.IAMusestraditionalidentityconceptssuchasusers,groups,andaccesscontrolpoliciestocontrolwhocanuseyourAWSaccount,whatservicesandresourcestheycanuse,andhowtheycanusethem.ThecontrolprovidedbyIAMisgranularenoughtolimitasingleusertotheabilitytoperformasingleactiononaspecificresourcefromaspecificIPaddressduringaspecifictimewindow.ApplicationscanbegrantedaccesstoAWSresourceswhethertheyarerunningon-premisesorinthecloud.ThisflexibilitycreatesaverypowerfulsystemthatwillgiveyouallthepoweryouneedtoensurethatyourAWSaccountusershavetheabilitytomeetyourbusinessneedswhileaddressingallofthesecurityconcernsofyourorganization.

ThischapterwillcoverthedifferentprincipalsthatcaninteractwithAWSandhowtheyareauthenticated.Itwillthendiscusshowtowritepoliciesthatdefinepermittedaccesstoservices,actions,andresourcesandassociatethesepolicieswithauthenticatedprincipals.Finally,itwillcoveradditionalfeaturesofIAMthatwillhelpyousecureyourinfrastructure,includingMFA,rotatingkeys,federation,resolvingmultiplepermissions,andusingIAMroles.

AsimportantasitistoknowwhatIAMisexactly,itisequallyimportanttounderstandwhatitisnot:

First,IAMisnotanidentitystore/authorizationsystemforyourapplications.ThepermissionsthatyouassignarepermissionstomanipulateAWSinfrastructure,notpermissionswithinyourapplication.Ifyouaremigratinganexistingon-premisesapplicationthatalreadyhasitsownuserrepositoryandauthentication/authorizationmechanism,thenthatshouldcontinuetoworkwhenyoudeployonAWSandisprobablytherightchoice.IfyourapplicationidentitiesarebasedonActiveDirectory,youron-premisesActiveDirectorycanbeextendedintothecloudtocontinuetofillthatneed.AgreatsolutionforusingActiveDirectoryinthecloudisAWSDirectoryService,whichisanActiveDirectory-compatibledirectoryservicethatcanworkonitsownorintegratewithyouron-premisesActiveDirectory.Finally,ifyouareworkingwithamobileapp,considerAmazonCognitoforidentitymanagementformobileapplications.

Second,IAMisnotoperatingsystemidentitymanagement.Rememberthatunderthesharedresponsibilitymodel,youareincontrolofyouroperatingsystemconsoleandconfiguration.WhatevermechanismyoucurrentlyusetocontrolaccesstoyourserverinfrastructurewillcontinuetoworkonAmazonElasticComputeCloud(AmazonEC2)instances,whetherthatismanagingindividualmachineloginaccountsoradirectoryservicesuchasActiveDirectoryorLightweightDirectoryAccessProtocol(LDAP).YoucanrunanActiveDirectoryorLDAPserveronAmazonEC2,oryoucanextendyouron-premisessystemintothecloud.AWSDirectoryServicewillalsoworkwelltoprovideActiveDirectoryfunctionalityinthecloudasaservice,whetherstandaloneorintegratedwithyourexistingActiveDirectory.

Table6.1summarizestherolethatdifferentauthenticationsystemscanplayinyourAWSenvironment.

TABLE6.1AuthenticationTechnologies

UseCase TechnologySolutions

OperatingSystemAccess ActiveDirectoryLDAPMachine-specificaccounts

ApplicationAccess ActiveDirectoryApplicationUserRepositoriesAmazonCognito

AWSResources IAM

IAMiscontrolledlikemostotherAWSCloudservices:

ThroughtheAWSManagementConsole—Likeotherservices,theAWSManagementConsoleistheeasiestwaytostartlearningaboutandmanipulatingaservice.

WiththeCLI—Asyoulearnthesystem,youcanstartscriptingrepeatedtasksusingtheCLI.

ViatheAWSSDKs—EventuallyyoumaystartwritingyourowntoolsandcomplexprocessesbymanipulatingIAMdirectlythroughtheRESTAPIviaoneofseveralSDKs.

AllofthesemethodsworktocontrolIAMjustastheyworkwithotherservices.Inaddition,theAWSPartnerNetwork(APN)includesarichecosystemoftoolstomanageandextendIAM.

PrincipalsThefirstIAMconcepttounderstandisprincipals.AprincipalisanIAMentitythatisallowedtointeractwithAWSresources.Aprincipalcanbepermanentortemporary,anditcanrepresentahumanoranapplication.Therearethreetypesofprincipals:rootusers,IAMusers,androles/temporarysecuritytokens.

RootUserWhenyoufirstcreateanAWSaccount,youbeginwithonlyasinglesign-inprincipalthathascompleteaccesstoallAWSCloudservicesandresourcesintheaccount.Thisprincipaliscalledtherootuser.AslongasyouhaveanopenaccountwithAWS,therootuserforthatrelationshipwillpersist.TherootusercanbeusedforbothconsoleandprogrammaticaccesstoAWSresources.

TherootuserissimilarinconcepttotheUNIXrootorWindowsAdministratoraccount—ithasfullprivilegestodoanythingintheaccount,includingclosingtheaccount.Itisstronglyrecommendedthatyoudonotusetherootuserforyoureverydaytasks,eventheadministrativeones.Instead,adheretothebestpracticeofusingtherootuseronlytocreateyourfirstIAMuserandthensecurelylockingawaytherootusercredentials.

IAMUsersUsersarepersistentidentitiessetupthroughtheIAMservicetorepresentindividualpeopleorapplications.YoumaycreateseparateIAMusersforeachmemberofyouroperationsteamsotheycaninteractwiththeconsoleandusetheCLI.Youmightalsocreatedev,test,andproductionusersforapplicationsthatneedtoaccessAWSCloudservices(althoughyouwillseelaterinthischapterthatIAMrolesmaybeabettersolutionforthatusecase).

IAMuserscanbecreatedbyprincipalswithIAMadministrativeprivilegesatanytimethroughtheAWSManagementConsole,CLI,orSDKs.Usersarepersistentinthatthereisnoexpirationperiod;theyarepermanententitiesthatexistuntilanIAMadministratortakesanactiontodeletethem.

Usersareanexcellentwaytoenforcetheprincipleofleastprivilege;thatis,theconceptofallowingapersonorprocessinteractingwithyourAWSresourcestoperformexactlythetaskstheyneedbutnothingelse.Userscanbeassociatedwithverygranularpoliciesthatdefinethesepermissions.Policieswillbecoveredinalatersection.

Roles/TemporarySecurityTokensRolesandtemporarysecuritytokensareveryimportantforadvancedIAMusage,butmanyAWSusersfindthemconfusing.Rolesareusedtograntspecificprivilegestospecificactorsforasetdurationoftime.TheseactorscanbeauthenticatedbyAWSorsometrustedexternalsystem.Whenoneoftheseactorsassumesarole,AWSprovidestheactorwithatemporarysecuritytokenfromtheAWSSecurityTokenService(STS)thattheactorcanusetoaccess

AWSCloudservices.Requestingatemporarysecuritytokenrequiresspecifyinghowlongthetokenwillexistbeforeitexpires.Therangeofatemporarysecuritytokenlifetimeis15minutesto36hours.

Rolesandtemporarysecuritytokensenableanumberofusecases:

AmazonEC2Roles—GrantingpermissionstoapplicationsrunningonanAmazonEC2instance.

Cross-AccountAccess—GrantingpermissionstousersfromotherAWSaccounts,whetheryoucontrolthoseaccountsornot.

Federation—Grantingpermissionstousersauthenticatedbyatrustedexternalsystem.

AmazonEC2RolesGrantingpermissionstoanapplicationisalwaystricky,asitusuallyrequiresconfiguringtheapplicationwithsomesortofcredentialuponinstallation.Thisleadstoissuesaroundsecurelystoringthecredentialpriortouse,howtoaccessitsafelyduringinstallation,andhowtosecureitintheconfiguration.SupposethatanapplicationrunningonanAmazonEC2instanceneedstoaccessanAmazonSimpleStorageService(AmazonS3)bucket.ApolicygrantingpermissiontoreadandwritethatbucketcanbecreatedandassignedtoanIAMuser,andtheapplicationcanusetheaccesskeyforthatIAMusertoaccesstheAmazonS3bucket.Theproblemwiththisapproachisthattheaccesskeyfortheusermustbeaccessibletotheapplication,probablybystoringitinsomesortofconfigurationfile.Theprocessforobtainingtheaccesskeyandstoringitencryptedintheconfigurationisusuallycomplicatedandahindrancetoagiledevelopment.Additionally,theaccesskeyisatriskwhenbeingpassedaround.Finally,whenthetimecomestorotatetheaccesskey,therotationinvolvesperformingthatwholeprocessagain.

UsingIAMrolesforAmazonEC2removestheneedtostoreAWScredentialsinaconfigurationfile.

AnalternativeistocreateanIAMrolethatgrantstherequiredaccesstotheAmazonS3bucket.WhentheAmazonEC2instanceislaunched,theroleisassignedtotheinstance.WhentheapplicationrunningontheinstanceusestheApplicationProgrammingInterface(API)toaccesstheAmazonS3bucket,itassumestheroleassignedtotheinstanceandobtainsatemporarytokenthatitsendstotheAPI.TheprocessofobtainingthetemporarytokenandpassingittotheAPIishandledautomaticallybymostoftheAWSSDKs,allowingtheapplicationtomakeacalltoaccesstheAmazonS3bucketwithoutworryingaboutauthentication.Inadditiontobeingeasyforthedeveloper,thisremovesanyneedtostoreanaccesskeyinaconfigurationfile.Also,becausetheAPIaccessusesatemporarytoken,thereisnofixedaccesskeythatmustberotated.

Cross-AccountAccessAnothercommonusecaseforIAMrolesistograntaccesstoAWSresourcestoIAMusersinotherAWSaccounts.TheseaccountsmaybeotherAWSaccountscontrolledbyyourcompanyoroutsideagentslikecustomersorsuppliers.YoucansetupanIAMrolewiththe

permissionsyouwanttogranttousersintheotheraccount,thenusersintheotheraccountcanassumethatroletoaccessyourresources.Thisishighlyrecommendedasabestpractice,asopposedtodistributingaccesskeysoutsideyourorganization.

FederationManyorganizationsalreadyhaveanidentityrepositoryoutsideofAWSandwouldratherleveragethatrepositorythancreateanewandlargelyduplicaterepositoryofIAMusers.Similarly,web-basedapplicationsmaywanttoleverageweb-basedidentitiessuchasFacebook,Google,orLoginwithAmazon.IAMIdentityProvidersprovidetheabilitytofederatetheseoutsideidentitieswithIAMandassignprivilegestothoseusersauthenticatedoutsideofIAM.

IAMcanintegratewithtwodifferenttypesofoutsideIdentityProviders(IdP).ForfederatingwebidentitiessuchasFacebook,Google,orLoginwithAmazon,IAMsupportsintegrationviaOpenIDConnect(OIDC).ThisallowsIAMtograntprivilegestousersauthenticatedwithsomeofthemajorweb-basedIdPs.Forfederatinginternalidentities,suchasActiveDirectoryorLDAP,IAMsupportsintegrationviaSecurityAssertionMarkupLanguage2.0(SAML).ASAML-compliantIdPsuchasActiveDirectoryFederationServices(ADFS)isusedtofederatetheinternaldirectorytoIAM.(InstructionsforconfiguringmanycompatibleproductscanbefoundontheAWSwebsite.)Ineachcase,federationworksbyreturningatemporarytokenassociatedwitharoletotheIdPfortheauthenticatedidentitytouseforcallstotheAWSAPI.TheactualrolereturnedisdeterminedviainformationreceivedfromtheIdP,eitherattributesoftheuserintheon-premisesidentitystoreortheusernameandauthenticatingserviceofthewebidentitystore.

ThethreetypesofprincipalsandtheirgeneraltraitsarelistedinTable6.2.

TABLE6.2TraitsofAWSPrincipals

Principal Traits

RootUser CannotbelimitedPermanent

IAMUsers AccesscontrolledbypolicyDurableCanberemovedbyIAMadministrator

Roles/TemporarySecurityTokens AccesscontrolledbypolicyTemporaryExpireafterspecifictimeinterval

AuthenticationTherearethreewaysthatIAMauthenticatesaprincipal:

UserName/Password—Whenaprincipalrepresentsahumaninteractingwiththeconsole,thehumanwillprovideausername/passwordpairtoverifytheiridentity.IAMallowsyoutocreateapasswordpolicyenforcingpasswordcomplexityandexpiration.

AccessKey—AnaccesskeyisacombinationofanaccesskeyID(20characters)andanaccesssecretkey(40characters).WhenaprogramismanipulatingtheAWSinfrastructureviatheAPI,itwillusethesevaluestosigntheunderlyingRESTcallstotheservices.TheAWSSDKsandtoolshandlealltheintricaciesofsigningtheRESTcalls,sousinganaccesskeywillalmostalwaysbeamatterofprovidingthevaluestotheSDKortool.

AccessKey/SessionToken—Whenaprocessoperatesunderanassumedrole,thetemporarysecuritytokenprovidesanaccesskeyforauthentication.Inadditiontotheaccesskey(rememberthatitconsistsoftwoparts),thetokenalsoincludesasessiontoken.CallstoAWSmustincludeboththetwo-partaccesskeyandthesessiontokentoauthenticate.

ItisimportanttonotethatwhenanIAMuseriscreated,ithasneitheranaccesskeynorapassword,andtheIAMadministratorcansetupeitherorboth.ThisaddsanextralayerofsecurityinthatconsoleuserscannotusetheircredentialstorunaprogramthataccessesyourAWSinfrastructure.

Figure6.1showsasummaryofthedifferentauthenticationmethods.

FIGURE6.1DifferentidentitiesauthenticatingwithAWS

AuthorizationAfterIAMhasauthenticatedaprincipal,itmustthenmanagetheaccessofthatprincipaltoprotectyourAWSinfrastructure.Theprocessofspecifyingexactlywhatactionsaprincipalcanandcannotperformiscalledauthorization.AuthorizationishandledinIAMbydefiningspecificprivilegesinpoliciesandassociatingthosepolicieswithprincipals.

PoliciesUnderstandinghowaccessmanagementworksunderIAMbeginswithunderstandingpolicies.ApolicyisaJSONdocumentthatfullydefinesasetofpermissionstoaccessandmanipulateAWSresources.Policydocumentscontainoneormorepermissions,witheachpermissiondefining:

Effect—Asingleword:AlloworDeny.

Service—Forwhatservicedoesthispermissionapply?MostAWSCloudservicessupportgrantingaccessthroughIAM,includingIAMitself.

Resource—TheresourcevaluespecifiesthespecificAWSinfrastructureforwhichthispermissionapplies.ThisisspecifiedasanAmazonResourceName(ARN).TheformatforanARNvariesslightlybetweenservices,butthebasicformatis:

"arn:aws:service:region:account-id:[resourcetype:]resource"

Forsomeservices,wildcardvaluesareallowed;forinstance,anAmazonS3ARNcouldhavearesourceoffoldername\*toindicateallobjectsinthespecifiedfolder.Table6.3displayssomesampleARNs.

TABLE6.3SampleARNs

Resource ARNFormat

AmazonS3Bucket arn:aws:s3:us-east-1:123456789012:my_corporate_bucket/*

IAMUser arn:aws:iam:us-east-1:123456789012:user/David

AmazonDynamoDBTable arn:aws:dynamodb:us-east-1:123456789012:table/tablename

Action—Theactionvaluespecifiesthesubsetofactionswithinaservicethatthepermissionallowsordenies.Forinstance,apermissionmaygrantaccesstoanyread-basedactionforAmazonS3.Asetofactionscanbespecifiedwithanenumeratedlistorbyusingwildcards(Read*).

Condition—Theconditionvalueoptionallydefinesoneormoreadditionalrestrictionsthatlimittheactionsallowedbythepermission.Forinstance,thepermissionmightcontainaconditionthatlimitstheabilitytoaccessaresourcetocallsthatcomefromaspecificIPaddressrange.Anotherconditioncouldrestrictthepermissiononlytoapplyduringaspecifictimeinterval.Therearemanytypesofpermissionsthatallowarichvarietyoffunctionalitythatvariesbetweenservices.SeetheIAMdocumentationforlistsofsupportedconditionsforeachservice.

Asamplepolicyisshowninthefollowinglisting.Thispolicyallowsaprincipaltolistthe

objectsinaspecificbucketandtoretrievethoseobjects,butonlyifthecallcomesfromaspecificIPaddress.

{

"Version":"2012–10–17",

"Statement":[

{

"Sid":"Stmt1441716043000",

"Effect":"Allow", <-Thispolicygrantsaccess

"Action":[<-Allowsidentitiestolist

"s3:GetObject",<-andgetobjectsin

"s3:ListBucket"<-theS3bucket

],

"Condition":{

"IpAddress":{ <-Onlyfromaspecific

"aws:SourceIp":"192.168.0.1" <-IPAddress

}

},

"Resource":[

"arn:aws:s3:::my_public_bucket/*" <-Onlythisbucket

]

}

]

}

AssociatingPolicieswithPrincipalsThereareseveralwaystoassociateapolicywithanIAMuser;thissectionwillonlycoverthemostcommon.

ApolicycanbeassociateddirectlywithanIAMuserinoneoftwoways:

UserPolicy—Thesepoliciesexistonlyinthecontextoftheusertowhichtheyareattached.Intheconsole,auserpolicyisenteredintotheuserinterfaceontheIAMuserpage.

ManagedPolicies—ThesepoliciesarecreatedinthePoliciestabontheIAMpage(orthroughtheCLI,andsoforth)andexistindependentlyofanyindividualuser.Inthisway,thesamepolicycanbeassociatedwithmanyusersorgroupsofusers.TherearealargenumberofpredefinedmanagedpoliciesthatyoucanreviewonthePoliciestaboftheIAMpageintheAWSManagementConsole.Inaddition,youcanwriteyourownpoliciesspecifictoyourusecases.

Usingpredefinedmanagedpoliciesensuresthatwhennewpermissionsareaddedfornewfeatures,youruserswillstillhavethecorrectaccess.

TheothercommonmethodforassociatingpolicieswithusersiswiththeIAMgroupsfeature.Groupssimplifymanagingpermissionsforlargenumbersofusers.Afterapolicyisassignedtoagroup,anyuserwhoisamemberofthatgroupassumesthosepermissions.Thismakesitsimplertoassignpoliciestoanentireteaminyourorganization.Forinstance,ifyoucreatean“Operations”groupwitheveryIAMuserforyouroperationsteamassignedtothatgroup,thenitisasimplemattertoassociatetheneededpermissionstothegroup,andallofthe

team’sIAMuserswillassumethosepermissions.NewIAMuserscanthenbeassigneddirectlytothegroup.

ThisisamuchsimplermanagementprocessthanhavingtoreviewwhatpoliciesanewIAMuserfortheoperationsteamshouldreceiveandmanuallyaddingthosepoliciestotheuser.TherearetwowaysapolicycanbeassociatedwithanIAMgroup:

GroupPolicy—Thesepoliciesexistonlyinthecontextofthegrouptowhichtheyareattached.IntheAWSManagementConsole,agrouppolicyisenteredintotheuserinterfaceontheIAMGrouppage.

ManagedPolicies—Inthesamewaythatmanagedpolicies(discussedinthe“Authorization”section)canbeassociatedwithIAMusers,theycanalsobeassociatedwithIAMgroups.

Figure6.2showsthedifferentwaysthatpolicescanbeassociatedwithanIAMUser.

FIGURE6.2AssociatingIAMuserswithpolicies

AgoodfirststepistousetherootusertocreateanewIAMgroupcalled“IAMAdministrators”andassignthemanagedpolicy,“IAMFullAccess.”ThencreateanewIAMusercalled“Administrator,”assignapassword,andaddittotheIAMAdministratorsgroup.Atthispoint,youcanlogoffastherootuserandperformallfurtheradministrationwiththeIAMuseraccount.

Thefinalwayanactorcanbeassociatedwithapolicyisbyassumingarole.Inthiscase,theactorcanbe:

AnauthenticatedIAMuser(personorprocess).Inthiscase,theIAMusermusthavetherightstoassumetherole.

ApersonorprocessauthenticatedbyatrustedserviceoutsideofAWS,suchasanon-premisesLDAPdirectoryorawebauthenticationservice.Inthissituation,anAWSCloudservicewillassumetheroleontheactor’sbehalfandreturnatokentotheactor.

Afteranactorhasassumedarole,itisprovidedwithatemporarysecuritytokenassociatedwiththepoliciesofthatrole.ThetokencontainsalltheinformationrequiredtoauthenticateAPIcalls.Thisinformationincludesastandardaccesskeyplusanadditionalsessiontokenrequiredforauthenticatingcallsunderanassumedrole.

OtherKeyFeaturesBeyondthecriticalconceptsofprincipals,authentication,andauthorization,thereareseveralotherfeaturesoftheIAMservicethatareimportanttounderstandtorealizethefullbenefitsofIAM.

Multi-FactorAuthentication(MFA)Multi-FactorAuthentication(MFA)canaddanextralayerofsecuritytoyourinfrastructurebyaddingasecondmethodofauthenticationbeyondjustapasswordoraccesskey.WithMFA,authenticationalsorequiresenteringaOne-TimePassword(OTP)fromasmalldevice.TheMFAdevicecanbeeitherasmallhardwaredeviceyoucarrywithyouoravirtualdeviceviaanapponyoursmartphone(forexample,theAWSVirtualMFAapp).

MFArequiresyoutoverifyyouridentitywithbothsomethingyouknowandsomethingyouhave.

MFAcanbeassignedtoanyIAMuseraccount,whethertheaccountrepresentsapersonorapplication.WhenapersonusinganIAMuserconfiguredwithMFAattemptstoaccesstheAWSManagementConsole,afterprovidingtheirpasswordtheywillbepromptedtoenterthecurrentcodedisplayedontheirMFAdevicebeforebeinggrantedaccess.AnapplicationusinganIAMuserconfiguredwithMFAmustquerytheapplicationusertoprovidethecurrentcode,whichtheapplicationwillthenpasstotheAPI.

ItisstronglyrecommendedthatAWScustomersaddMFAprotectiontotheirrootuser.

RotatingKeysThesecurityriskofanycredentialincreaseswiththeageofthecredential.Tothisend,itisasecuritybestpracticetorotateaccesskeysassociatedwithyourIAMusers.IAMfacilitatesthisprocessbyallowingtwoactiveaccesskeysatatime.Theprocesstorotatekeyscanbeconductedviatheconsole,CLI,orSDKs:

1. Createanewaccesskeyfortheuser.

2. Reconfigureallapplicationstousethenewaccesskey.

3. Disabletheoriginalaccesskey(disablinginsteadofdeletingatthisstageiscritical,asitallowsrollbacktotheoriginalkeyifthereareissueswiththerotation).

4. Verifytheoperationofallapplications.

5. Deletetheoriginalaccesskey.

Accesskeysshouldberotatedonaregularschedule.

ResolvingMultiplePermissions

Occasionally,multiplepermissionswillbeapplicablewhendeterminingwhetheraprincipalhastheprivilegetoperformsomeaction.ThesepermissionsmaycomefrommultiplepoliciesassociatedwithaprincipalorresourcepoliciesattachedtotheAWSresourceinquestion.Itisimportanttoknowhowconflictsbetweenthesepermissionsareresolved:

1. Initiallytherequestisdeniedbydefault.

2. Alltheappropriatepoliciesareevaluated;ifthereisanexplicit“deny”foundinanypolicy,therequestisdeniedandevaluationstops.

3. Ifnoexplicit“deny”isfoundandanexplicit“allow”isfoundinanypolicy,therequestisallowed.

4. Iftherearenoexplicit“allow”or“deny”permissionsfound,thenthedefault“deny”ismaintainedandtherequestisdenied.

TheonlyexceptiontothisruleisifanAssumeRolecallincludesaroleandapolicy,thepolicycannotexpandtheprivilegesoftherole(forexample,thepolicycannotoverrideanypermissionthatisdeniedbydefaultintherole).

SummaryIAMisapowerfulservicethatgivesyoutheabilitytocontrolwhichpeopleandapplicationscanaccessyourAWSaccountataverygranularlevel.BecausetherootuserinanAWSaccountcannotbelimited,youshouldsetupIAMusersandtemporarysecuritytokensforyourpeopleandprocessestointeractwithAWS.

Policiesdefinewhatactionscanandcannotbetaken.PoliciesareassociatedwithIAMuserseitherdirectlyorthroughgroupmembership.AtemporarysecuritytokenisassociatedwithapolicybyassuminganIAMrole.YoucanwriteyourownpoliciesoruseoneofthemanagedpoliciesprovidedbyAWS.

CommonusecasesforIAMrolesincludefederatingidentitiesfromexternalIdPs,assigningprivilegestoanAmazonEC2instancewheretheycanbeassumedbyapplicationsrunningontheinstance,andcross-accountaccess.

IAMuseraccountscanbefurthersecuredbyrotatingkeys,implementingMFA,andaddingconditionstopolicies.MFAensuresthatauthenticationisbasedonsomethingyouhaveinadditiontosomethingyouknow,andconditionscanaddfurtherrestrictionssuchaslimitingclientIPaddressrangesorsettingaparticulartimeinterval.

ExamEssentialsKnowthedifferentprincipalsinIAM.ThethreeprincipalsthatcanauthenticateandinteractwithAWSresourcesaretherootuser,IAMusers,androles.TherootuserisassociatedwiththeactualAWSaccountandcannotberestrictedinanyway.IAMusersarepersistentidentitiesthatcanbecontrolledthroughIAM.Rolesallowpeopleorprocessestheabilitytooperatetemporarilywithadifferentidentity.Peopleorprocessesassumearolebybeinggrantedatemporarysecuritytokenthatwillexpireafteraspecifiedperiodoftime.

KnowhowprincipalsareauthenticatedinIAM.WhenyoulogintotheAWSManagementConsoleasanIAMuserorrootuser,youuseausername/passwordcombination.AprogramthataccessestheAPIwithanIAMuserorrootuserusesatwo-partaccesskey.Atemporarysecuritytokenauthenticateswithanaccesskeyplusanadditionalsessiontokenuniquetothattemporarysecuritytoken.

Knowthepartsofapolicy.ApolicyisaJSONdocumentthatdefinesoneormorepermissionstointeractwithAWSresources.Eachpermissionincludestheeffect,service,action,andresource.Itmayalsoincludeoneormoreconditions.AWSmakesmanypredefinedpoliciesavailableasmanagedpolicies.

Knowhowapolicyisassociatedwithaprincipal.Anauthenticatedprincipalisassociatedwithzerotomanypolicies.ForanIAMuser,thesepoliciesmaybeattacheddirectlytotheuseraccountorattachedtoanIAMgroupofwhichtheuseraccountisamember.AtemporarysecuritytokenisassociatedwithpoliciesbyassuminganIAMrole.

UnderstandMFA.MFAincreasesthesecurityofanAWSaccountbyaugmentingthepassword(somethingyouknow)witharotatingOTPfromasmalldevice(somethingyouhave),ensuringthatanyoneauthenticatingtheaccounthasbothknowledgeofthepasswordandpossessionofthedevice.AWSsupportsbothGemaltohardwareMFAdevicesandanumberofvirtualMFAapps.

Understandkeyrotation.ToprotectyourAWSinfrastructure,accesskeysshouldberotatedregularly.AWSallowstwoaccesskeystobevalidsimultaneouslytomaketherotationprocessstraightforward:Generateanewaccesskey,configureyourapplicationtousethenewaccesskey,test,disabletheoriginalaccesskey,test,deletetheoriginalaccesskey,andtestagain.

UnderstandIAMrolesandfederation.IAMrolesareprepackagedsetsofpermissionsthathavenocredentials.Principalscanassumearoleandthenusetheassociatedpermissions.Whenatemporarysecuritytokeniscreated,itassumesarolethatdefinesthepermissionsassignedtothetoken.WhenanAmazonEC2instanceisassociatedwithanIAMrole,SDKcallsacquireatemporarysecuritytokenbasedontheroleassociatedwiththeinstanceandusethattokentoaccessAWSresources.

RolesarethebasisforfederatingexternalIdPswithAWS.YouconfigureanIAMIdPtointeractwiththeexternalIdP,theauthenticatedidentityfromtheIdPismappedtoarole,andatemporarysecuritytokenisreturnedthathasassumedthatrole.AWSsupportsbothSAMLandOIDCIdPs.

Knowhowtoresolveconflictingpermissions.Resolvingmultiplepermissionsis

relativelystraightforward.Ifanactiononaresourcehasnotbeenexplicitlyallowedbyapolicy,itisdenied.Iftwopoliciescontradicteachother;thatis,ifonepolicyallowsanactiononaresourceandanotherpolicydeniesthataction,theactionisdenied.Whilethissoundsimprobable,itmayoccurduetoscopedifferencesinapolicy.OnepolicymayexposeanentirefleetofAmazonEC2instances,andasecondpolicymayexplicitlylockdownoneparticularinstance.

ExercisesForassistanceincompletingthefollowingexercises,refertotheIAMUserGuideathttp://docs.aws.amazon.com/IAM/latest/UserGuide/.

EXERCISE6.1

CreateanIAMGroupInthisexercise,youwillcreateagroupforallIAMadministratorusersandassigntheproperpermissionstothenewgroup.Thiswillallowyoutoavoidassigningpoliciesdirectlytoauserlaterintheseexercises.

1. Loginastherootuser.

2. CreateanIAMgroupcalledAdministrators.

3. Attachthemanagedpolicy,IAMFullAccess,totheAdministratorsgroup.

EXERCISE6.2

CreateaCustomizedSign-InLinkandPasswordPolicyInthisexercise,youwillsetupyouraccountwithsomebasicIAMsafeguards.Thepasswordpolicyisarecommendedsecuritypractice,andthesign-inlinkmakesiteasierforyouruserstologintotheAWSManagementConsole.

1. Customizeasign-inlink,andwritedownthenewlinknameinfull.

2. Createapasswordpolicyforyouraccount.

EXERCISE6.3

CreateanIAMUserInthisexercise,youwillcreateanIAMuserwhocanperformalladministrativeIAMfunctions.Thenyouwillloginasthatusersothatyounolongerneedtousetherootuserlogin.Usingtherootuserloginonlywhenexplicitlyrequiredisarecommendedsecuritypractice(alongwithaddingMFAtoyourrootuser).

1. Whileloggedinastherootuser,createanewIAMusercalledAdministrator.

2. AddyournewusertotheAdministratorsgroup.

3. OntheDetailspagefortheadministratoruser,createapassword.

4. Logoutastherootuser.

5. Usethecustomizedsign-inlinktosigninasAdministrator.

http://docs.aws.amazon.com/IAM/latest/UserGuide/

EXERCISE6.4

CreateandUseanIAMRoleInthisexercise,youwillcreateanIAMrole,associateitwithanewinstance,andverifythatapplicationsrunningontheinstanceassumethepermissionsoftherole.IAMrolesallowyoutoavoidstoringaccesskeysonyourAmazonEC2instances.

1. Whilesignedinasadministrator,createanAmazonEC2-typerolenamedS3Client.

2. Attachthemanagedpolicy,AmazonS3ReadOnlyAccess,toS3Client.

3. LaunchanAmazonLinuxEC2instancewiththenewroleattached(AmazonLinuxAMIscomewithCLIinstalled).

4. SSHintothenewinstance,andusetheCLItolistthecontentsofanAmazonS3bucket.

EXERCISE6.5

RotateKeysInthisexercise,youwillgothroughtheprocessofrotatingaccesskeys,arecommendedsecuritypractice.

1. Selecttheadministrator,andcreateatwo-partaccesskey.

2. Downloadtheaccesskey.

3. DownloadandinstalltheCLItoyourdesktop.

4. ConfiguretheCLItousetheaccesskeywiththeAWSConfigurecommand.

5. UsetheCLItolistthecontentsofanAmazonS3bucket.

6. Returntotheconsole,andcreateanewaccesskeyfortheadministratoraccount.

7. Downloadtheaccesskey,andreconfiguretheCLItousethenewaccesskey.

8. Intheconsole,maketheoriginalaccesskeyinactive.

9. ConfirmthatyouareusingthenewaccesskeybyonceagainlistingthecontentsoftheAmazonS3bucket.

10. Deletetheoriginalaccesskey.

EXERCISE6.6

SetUpMFAInthisexercise,youwilladdMFAtoyourIAMadministrator.YouwilluseavirtualMFAapplicationforyourphone.MFAisasecurityrecommendationonpowerfulaccountssuchasIAMadministrators.

1. DownloadtheAWSVirtualMFAapptoyourphone.

2. Selecttheadministratoruser,andmanagetheMFAdevice.

3. GothroughthestepstoactivateaVirtualMFAdevice.

4. Logoffasadministrator.

5. Loginasadministrator,andentertheMFAvaluetocompletetheauthenticationprocess.

EXERCISE6.7

ResolveConflictingPermissionsInthisexercise,youwilladdapolicytoyourIAMadministratoruserwithaconflictingpermission.YouwillthenattemptactionsthatverifyhowIAMresolvesconflictingpermissions.

1. Usethepolicygeneratortocreateanewpolicy.

2. CreatethepolicywithEffect:Deny;AWSService:AmazonS3;Actions:*;andARN:*.

3. AttachthenewpolicytotheAdministratorsgroup.

4. UsetheCLItoattempttolistthecontentsofanAmazonS3bucket.Thepolicythatallowsaccessandthepolicythatdeniesaccessshouldresolvetodenyaccess.

ReviewQuestions1. WhichofthefollowingmethodswillallowanapplicationusinganAWSSDKtobeauthenticatedasaprincipaltoaccessAWSCloudservices?(Choose2answers)

A. CreateanIAMuserandstoretheusernameandpasswordfortheuserintheapplication’sconfiguration.

B. CreateanIAMuserandstorebothpartsoftheaccesskeyfortheuserintheapplication’sconfiguration.

C. RuntheapplicationonanAmazonEC2instancewithanassignedIAMrole.

D. MakealltheAPIcallsoveranSSLconnection.

2. WhichofthefollowingarefoundinanIAMpolicy?(Choose2answers)

A. ServiceName

B. Region

C. Action

D. Password

3. YourAWSaccountadministratorleftyourcompanytoday.TheadministratorhadaccesstotherootuserandapersonalIAMadministratoraccount.Withtheseaccounts,hegeneratedotherIAMaccountsandkeys.WhichofthefollowingshouldyoudotodaytoprotectyourAWSinfrastructure?(Choose4answers)

A. ChangethepasswordandaddMFAtotherootuser.

B. PutanIPrestrictionontherootuser.

C. RotatekeysandchangepasswordsforIAMaccounts.

D. DeleteallIAMaccounts.

E. Deletetheadministrator’spersonalIAMaccount.

F. RelaunchallAmazonEC2instanceswithnewroles.

4. WhichofthefollowingactionscanbeauthorizedbyIAM?(Choose2answers)

A. InstallingASP.NETonaWindowsServer

B. LaunchinganAmazonLinuxEC2instance

C. QueryinganOracledatabase

D. AddingamessagetoanAmazonSimpleQueueService(AmazonSQS)queue

5. WhichofthefollowingareIAMsecurityfeatures?(Choose2answers)

A. Passwordpolicies

B. AmazonDynamoDBglobalsecondaryindexes

C. MFA

D. ConsolidatedBilling

6. WhichofthefollowingarebenefitsofusingAmazonEC2roles?(Choose2answers)

A. Nopoliciesarerequired.

B. CredentialsdonotneedtobestoredontheAmazonEC2instance.

C. Keyrotationisnotnecessary.

D. IntegrationwithActiveDirectoryisautomatic.

7. Whichofthefollowingarebasedontemporarysecuritytokens?(Choose2answers)

A. AmazonEC2roles

B. MFA

C. Rootuser

D. Federation

8. YoursecurityteamisveryconcernedaboutthevulnerabilityoftheIAMadministratoruseraccounts(theaccountsusedtoconfigureallIAMfeaturesandaccounts).Whatstepscanbetakentolockdowntheseaccounts?(Choose3answers)

A. Addmulti-factorauthentication(MFA)totheaccounts.

B. LimitloginstoaparticularU.S.state.

C. ImplementapasswordpolicyontheAWSaccount.

D. ApplyasourceIPaddressconditiontothepolicythatonlygrantspermissionswhentheuserisonthecorporatenetwork.

E. AddaCAPTCHAtesttotheaccounts.

9. YouwanttogranttheindividualsonyournetworkteamtheabilitytofullymanipulateAmazonEC2instances.Whichofthefollowingaccomplishthisgoal?(Choose2answers)

A. CreateanewpolicyallowingEC2:*actions,andnamethepolicyNetworkTeam.

B. Assignthemanagedpolicy,EC2FullAccess,toagroupnamedNetworkTeam,andassignalltheteammembers’IAMuseraccountstothatgroup.

C. CreateanewpolicythatgrantsEC2:*actionsonallresources,andassignthatpolicytoeachindividual’sIAMuseraccountonthenetworkteam.

D. CreateaNetworkTeamIAMgroup,andhaveeachteammemberlogintotheAWSManagementConsoleusingtheusername/passwordforthegroup.

10. WhatistheformatofanIAMpolicy?

A. XML

B. Key/valuepairs

C. JSON

D. Tab-delimitedtext

Chapter7DatabasesandAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems



Planninganddesign

Architecturaltrade-offdecisions(AmazonRelationalDatabaseService[AmazonRDS]vs.installingonAmazonElasticComputeCloud[AmazonEC2])


RecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)DisasterRecovery(DR)design





AWSadministrationandsecurityservices

Designpatterns


ThischapterwillcoveressentialdatabaseconceptsandintroducethreeofAmazon’smanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.

Thischapterfocusesonkeytopicsyouneedtounderstandfortheexam,including:

Thedifferencesamongarelationaldatabase,aNoSQLdatabase,andadatawarehouse

ThebenefitsandtradeoffsbetweenrunningadatabaseonAmazonEC2oronAmazonRDS

Howtodeploydatabaseenginesintothecloud

HowtobackupandrecoveryourdatabaseandmeetyourRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements

Howtobuildhighlyavailabledatabasearchitectures

Howtoscaleyourdatabasecomputeandstoragevertically

Howtoselecttherighttypeofstoragevolume

Howtousereadreplicastoscalehorizontally

HowtodesignandscaleanAmazonDynamoDBtable

HowtoreadandwritefromanAmazonDynamoDBtable

Howtousesecondaryindexestospeedqueries

HowtodesignanAmazonRedshifttable

HowtoloadandqueryanAmazonRedshiftdatawarehouse

Howtosecureyourdatabases,tables,andclusters

DatabasePrimerAlmosteveryapplicationreliesonadatabasetostoreimportantdataandrecordsforitsusers.Adatabaseengineallowsyourapplicationtoaccess,manage,andsearchlargevolumesofdatarecords.Inawell-architectedapplication,thedatabasewillneedtomeettheperformancedemands,theavailabilityneeds,andtherecoverabilitycharacteristicsofthesystem.

Databasesystemsandenginescanbegroupedintotwobroadcategories:RelationalDatabaseManagementSystems(RDBMS)andNoSQL(ornon-relational)databases.ItisnotuncommontobuildanapplicationusingacombinationofRDBMSandNoSQLdatabases.Astrongunderstandingofessentialdatabaseconcepts,AmazonRDS,andAmazonDynamoDBarerequiredtopassthisexam.

RelationalDatabasesThemostcommontypeofdatabaseinusetodayistherelationaldatabase.Therelationaldatabasehasrootsgoingbacktothe1970swhenEdgarF.Codd,workingforIBM,developedtheconceptsoftherelationalmodel.Today,relationaldatabasespoweralltypesofapplicationsfromsocialmediaapps,e-commercewebsites,andblogstocomplexenterpriseapplications.CommonlyusedrelationaldatabasesoftwarepackagesincludeMySQL,PostgreSQL,MicrosoftSQLServer,andOracle.

RelationaldatabasesprovideacommoninterfacethatletsusersreadandwritefromthedatabaseusingcommandsorquerieswrittenusingStructuredQueryLanguage(SQL).Arelationaldatabaseconsistsofoneormoretables,andatableconsistsofcolumnsandrowssimilartoaspreadsheet.Adatabasecolumncontainsaspecificattributeoftherecord,suchasaperson’sname,address,andtelephonenumber.Eachattributeisassignedadatatypesuchastext,number,ordate,andthedatabaseenginewillrejectinvalidinputs.

Adatabaserowcomprisesanindividualrecord,suchasthedetailsaboutastudentwhoattendsaschool.ConsidertheexampleinTable7.1.

TABLE7.1StudentsTable

StudentID FirstName LastName Gender Age

1001 Joe Dusty M 29

1002 Andrea Romanov F 20

1003 Ben Johnson M 30

1004 Beth Roberts F 30

Thisisanexampleofabasictablethatwouldsitinarelationaldatabase.Therearefivefieldswithdifferentdatatypes:

StudentID=Numberorinteger

FirstName=String

LastName=String

Gender=String(CharacterLength=1)

Age=Integer

Thissampletablehasfourrecords,witheachrecordrepresentinganindividualstudent.EachstudenthasaStudentIDfield,whichisusuallyauniquenumberperstudent.Auniquenumberthatidentifieseachstudentcanbecalledaprimarykey.

Onerecordinatablecanrelatetoarecordinanothertablebyreferencingtheprimarykeyofarecord.Thispointerorreferenceiscalledaforeignkey.Forexample,theGradestablethatrecordsscoresforeachstudentwouldhaveitsownprimarykeyandanadditionalcolumnknownasaforeignkeythatreferstotheprimarykeyofthestudentrecord.Byreferencingtheprimarykeysofothertables,relationaldatabasesminimizeduplicationofdatainassociatedtables.Withrelationaldatabases,itisimportanttonotethatthestructureofthetable(suchasthenumberofcolumnsanddatatypeofeachcolumn)mustbedefinedpriortodatabeingaddedtothetable.

ArelationaldatabasecanbecategorizedaseitheranOnlineTransactionProcessing(OLTP)orOnlineAnalyticalProcessing(OLAP)databasesystem,dependingonhowthetablesareorganizedandhowtheapplicationusestherelationaldatabase.OLTPreferstotransaction-orientedapplicationsthatarefrequentlywritingandchangingdata(forexample,dataentryande-commerce).OLAPistypicallythedomainofdatawarehousesandreferstoreportingoranalyzinglargedatasets.LargeapplicationsoftenhaveamixofbothOLTPandOLAPdatabases.

AmazonRelationalDatabaseService(AmazonRDS)significantlysimplifiesthesetupandmaintenanceofOLTPandOLAPdatabases.AmazonRDSprovidessupportforsixpopularrelationaldatabaseengines:MySQL,Oracle,PostgreSQL,MicrosoftSQLServer,MariaDB,andAmazonAurora.YoucanalsochoosetorunnearlyanydatabaseengineusingWindowsorLinuxAmazonElasticComputeCloud(AmazonEC2)instancesandmanagetheinstallationandadministrationyourself.

DataWarehousesAdatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositoryisoftenaspecializedtypeofrelationaldatabasethatcanbeusedforreportingandanalysisviaOLAP.Organizationstypicallyusedatawarehousestocompilereportsandsearchthedatabaseusinghighlycomplexqueries.

Datawarehousesarealsotypicallyupdatedonabatchschedulemultipletimesperdayorperhour,comparedtoanOLTPrelationaldatabasethatcanbeupdatedthousandsoftimespersecond.Manyorganizationssplittheirrelationaldatabasesintotwodifferentdatabases:onedatabaseastheirmainproductiondatabaseforOLTPtransactions,andtheotherdatabaseastheirdatawarehouseforOLAP.OLTPtransactionsoccurfrequentlyandarerelativelysimple.OLAPtransactionsoccurmuchlessfrequentlybutaremuchmorecomplex.

AmazonRDSisoftenusedforOLTPworkloads,butitcanalsobeusedforOLAP.AmazonRedshiftisahigh-performancedatawarehousedesignedspecificallyforOLAPusecases.ItisalsocommontocombineAmazonRDSwithAmazonRedshiftinthesameapplicationandperiodicallyextractrecenttransactionsandloadthemintoareportingdatabase.

NoSQLDatabasesNoSQLdatabaseshavegainedsignificantpopularityinrecentyearsbecausetheyareoftensimplertouse,moreflexible,andcanachieveperformancelevelsthataredifficultorimpossiblewithtraditionalrelationaldatabases.Traditionalrelationaldatabasesaredifficulttoscalebeyondasingleserverwithoutsignificantengineeringandcost,butaNoSQLarchitectureallowsforhorizontalscalabilityoncommodityhardware.

NoSQLdatabasesarenon-relationalanddonothavethesametableandcolumnsemanticsofarelationaldatabase.NoSQLdatabasesareinsteadoftenkey/valuestoresordocumentstoreswithflexibleschemasthatcanevolveovertimeorvary.Contrastthattoarelationaldatabase,whichrequiresaveryrigidschema.

ManyoftheconceptsofNoSQLarchitecturestracetheirfoundationalconceptsbacktowhitepaperspublishedin2006and2007thatdescribeddistributedsystemslikeDynamoatAmazon.Today,manyapplicationteamsuseHbase,MongoDB,Cassandra,CouchDB,Riak,andAmazonDynamoDBtostorelargevolumesofdatawithhightransactionrates.Manyofthesedatabaseenginessupportclusteringandscalehorizontallyacrossmanymachinesforperformanceandfaulttolerance.AcommonusecaseforNoSQLismanagingusersessionstate,userprofiles,shoppingcartdata,ortime-seriesdata.

YoucanrunanytypeofNoSQLdatabaseonAWSusingAmazonEC2,oryoucanchooseamanagedservicelikeAmazonDynamoDBtodealwiththeheavyliftinginvolvedwithbuildingadistributedclusterspanningmultipledatacenters.

AmazonRelationalDatabaseService(AmazonRDS)AmazonRDSisaservicethatsimplifiesthesetup,operations,andscalingofarelationaldatabaseonAWS.WithAmazonRDS,youcanspendmoretimefocusingontheapplicationandtheschemaandletAmazonRDSoffloadcommontaskslikebackups,patching,scaling,andreplication.

AmazonRDShelpsyoutostreamlinetheinstallationofthedatabasesoftwareandalsotheprovisioningofinfrastructurecapacity.Withinafewminutes,AmazonRDScanlaunchoneofmanypopulardatabaseenginesthatisreadytostarttakingSQLtransactions.Aftertheinitiallaunch,AmazonRDSsimplifiesongoingmaintenancebyautomatingcommonadministrativetasksonarecurringbasis.

WithAmazonRDS,youcanaccelerateyourdevelopmenttimelinesandestablishaconsistentoperatingmodelformanagingrelationaldatabases.Forexample,AmazonRDSmakesiteasytoreplicateyourdatatoincreaseavailability,improvedurability,orscaleuporbeyondasingledatabaseinstanceforread-heavydatabaseworkloads.

AmazonRDSexposesadatabaseendpointtowhichclientsoftwarecanconnectandexecuteSQL.AmazonRDSdoesnotprovideshellaccesstoDatabase(DB)Instances,anditrestrictsaccesstocertainsystemproceduresandtablesthatrequireadvancedprivileges.WithAmazonRDS,youcantypicallyusethesametoolstoquery,analyze,modify,andadministerthedatabase.Forexample,currentExtract,Transform,Load(ETL)toolsandreportingtoolscanconnecttoAmazonRDSdatabasesinthesamewaywiththesamedrivers,andoftenallittakestoreconfigureischangingthehostnameintheconnectionstring.

Database(DB)InstancesTheAmazonRDSserviceitselfprovidesanApplicationProgrammingInterface(API)thatletsyoucreateandmanageoneormoreDBInstances.ADBInstanceisanisolateddatabaseenvironmentdeployedinyourprivatenetworksegmentsinthecloud.EachDBInstancerunsandmanagesapopularcommercialoropensourcedatabaseengineonyourbehalf.AmazonRDScurrentlysupportsthefollowingdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.

YoucanlaunchanewDBInstancebycallingtheCreateDBInstanceAPIorbyusingtheAWSManagementConsole.ExistingDBInstancescanbechangedorresizedusingtheModifyDBInstanceAPI.ADBInstancecancontainmultipledifferentdatabases,allofwhichyoucreateandmanagewithintheDBInstanceitselfbyexecutingSQLcommandswiththeAmazonRDSendpoint.Thedifferentdatabasescanbecreated,accessed,andmanagedusingthesameSQLclienttoolsandapplicationsthatyouusetoday.

ThecomputeandmemoryresourcesofaDBInstancearedeterminedbyitsDBInstanceclass.YoucanselecttheDBInstanceclassthatbestmeetsyourneedsforcomputeandmemory.TherangeofDBInstanceclassesextendsfromadb.t2.microwith1virtualCPU(vCPU)and1GBofmemory,uptoadb.r3.8xlargewith32vCPUsand244GBofmemory.Asyourneedschangeovertime,youcanchangetheinstanceclassandthebalanceofcomputeofmemory,andAmazonRDSwillmigrateyourdatatoalargerorsmallerinstanceclass.IndependentfromtheDBInstanceclassthatyouselect,youcanalsocontrolthesizeand

performancecharacteristicsofthestorageused.

AmazonRDSsupportsalargevarietyofengines,versions,andfeaturecombinations.ChecktheAmazonRDSdocumentationtodeterminesupportforspecificfeatures.ManyfeaturesandcommonconfigurationsettingsareexposedandmanagedusingDBparametergroupsandDBoptiongroups.ADBparametergroupactsasacontainerforengineconfigurationvaluesthatcanbeappliedtooneormoreDBInstances.YoumaychangetheDBparametergroupforanexistinginstance,butarebootisrequired.ADBoptiongroupactsasacontainerforenginefeatures,whichisemptybydefault.InordertoenablespecificfeaturesofaDBengine(forexample,OracleStatspack,MicrosoftSQLServerMirroring),youcreateanewDBoptiongroupandconfigurethesettingsaccordingly.

ExistingdatabasescanbemigratedtoAmazonRDSusingnativetoolsandtechniquesthatvarydependingontheengine.ForexamplewithMySQL,youcanexportabackupusingmysqldumpandimportthefileintoAmazonRDSMySQL.YoucanalsousetheAWSDatabaseMigrationService,whichgivesyouagraphicalinterfacethatsimplifiesthemigrationofbothschemaanddatabetweendatabases.AWSDatabaseMigrationServicealsohelpsconvertdatabasesfromonedatabaseenginetoanother.

OperationalBenefitsAmazonRDSincreasestheoperationalreliabilityofyourdatabasesbyapplyingaveryconsistentdeploymentandoperationalmodel.Thislevelofconsistencyisachievedinpartbylimitingthetypesofchangesthatcanbemadetotheunderlyinginfrastructureandthroughtheextensiveuseofautomation.ForexamplewithAmazonRDS,youcannotuseSecureShell(SSH)tologintothehostinstanceandinstallacustompieceofsoftware.Youcan,however,connectusingSQLadministratortoolsoruseDBoptiongroupsandDBparametergroupstochangethebehaviororfeatureconfigurationforaDBInstance.IfyouwantfullcontroloftheOperatingSystem(OS)orrequireelevatedpermissionstorun,thenconsiderinstallingyourdatabaseonAmazonEC2insteadofAmazonRDS.

AmazonRDSisdesignedtosimplifythecommontasksrequiredtooperatearelationaldatabaseinareliablemanner.It’susefultocomparetheresponsibilitiesofanadministratorwhenoperatingarelationaldatabaseinyourdatacenter,onAmazonEC2,orwithAmazonRDS(seeTable7.2).

TABLE7.2ComparisonofOperationalResponsibilities

Responsibility DatabaseOn-Premise

DatabaseonAmazonEC2

DatabaseonAmazonRDS

AppOptimization

You You You

Scaling You You AWS

HighAvailability You You AWS

Backups You You AWS

DBEnginePatches

You You AWS

SoftwareInstallation

You You AWS

OSPatches You You AWS

OSInstallation You AWS AWS

ServerMaintenance

You AWS AWS

RackandStack You AWS AWS

PowerandCooling

You AWS AWS

DatabaseEnginesAmazonRDSsupportssixdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.Featuresandcapabilitiesvaryslightlydependingontheenginethatyouselect.

MySQLMySQLisoneofthemostpopularopensourcedatabasesintheworld,anditisusedtopowerawiderangeofapplications,fromsmallpersonalblogstosomeofthelargestwebsitesintheworld.Asofthetimeofthiswriting,AmazonRDSforMySQLcurrentlysupportsMySQL5.7,5.6,5.5,and5.1.TheengineisrunningtheopensourceCommunityEditionwithInnoDBasthedefaultandrecommendeddatabasestorageengine.AmazonRDSMySQLallowsyoutoconnectusingstandardMySQLtoolssuchasMySQLWorkbenchorSQLWorkbench/J.AmazonRDSMySQLsupportsMulti-AZdeploymentsforhighavailabilityandreadreplicasforhorizontalscaling.

PostgreSQLPostgreSQLisawidelyusedopensourcedatabaseenginewithaveryrichsetoffeaturesandadvancedfunctionality.AmazonRDSsupportsDBInstancesrunningseveralversionsofPostgreSQL.Asofthetimeofthiswriting,AmazonRDSsupportsmultiplereleasesofPostgreSQL,including9.5.x,9.4.x,and9.3.x.AmazonRDSPostgreSQLcanbemanagedusingstandardtoolslikepgAdminandsupportsstandardJDBC/ODBCdrivers.AmazonRDSPostgreSQLalsosupportsMulti-AZdeploymentforhighavailabilityandreadreplicasfor

horizontalscaling.

MariaDBAmazonRDSrecentlyaddedsupportforDBInstancesrunningMariaDB.MariaDBisapopularopensourcedatabaseenginebuiltbythecreatorsofMySQLandenhancedwithenterprisetoolsandfunctionality.MariaDBaddsfeaturesthatenhancetheperformance,availability,andscalabilityofMySQL.Asofthetimeofthiswriting,AWSsupportsMariaDBversion10.0.17.AmazonRDSfullysupportstheXtraDBstorageengineforMariaDBDBInstancesand,likeAmazonRDSMySQLandPostgreSQL,hassupportforMulti-AZdeploymentandreadreplicas.

OracleOracleisoneofthemostpopularrelationaldatabasesusedintheenterpriseandisfullysupportedbyAmazonRDS.Asofthetimeofthiswriting,AmazonRDSsupportsDBInstancesrunningseveraleditionsofOracle11gandOracle12c.AmazonRDSsupportsaccesstoschemasonaDBInstanceusinganystandardSQLclientapplication,suchasOracleSQLPlus.

AmazonRDSOraclesupportsthreedifferenteditionsofthepopulardatabaseengine:StandardEditionOne,StandardEdition,andEnterpriseEdition.Table7.3outlinessomeofthemajordifferencesbetweeneditions:

TABLE7.3AmazonRDSOracleEditionsCompared

Edition Performance Multi-AZ Encryption

StandardOne ++++ Yes KMS

Standard ++++++++ Yes KMS

Enterprise ++++++++ Yes KMSandTDE

MicrosoftSQLServerMicrosoftSQLServerisanotherverypopularrelationaldatabaseusedintheenterprise.AmazonRDSallowsDatabaseAdministrators(DBAs)toconnecttotheirSQLServerDBInstanceinthecloudusingnativetoolslikeSQLServerManagementStudio.Asofthetimeofthiswriting,AmazonRDSprovidessupportforseveralversionsofMicrosoftSQLServer,includingSQLServer2008R2,SQLServer2012,andSQLServer2014.

AmazonRDSSQLServeralsosupportsfourdifferenteditionsofSQLServer:ExpressEdition,WebEdition,StandardEdition,andEnterpriseEdition.Table7.4highlightstherelativeperformance,availability,andencryptiondifferencesamongtheseeditions.

TABLE7.4AmazonRDSSQLServerEditionsCompared

Edition Performance Multi-AZ Encryption

Express + No KMS

Web ++++ No KMS

Standard ++++ Yes KMS

Enterprise ++++++++ Yes KMSandTDE

LicensingAmazonRDSOracleandMicrosoftSQLServerarecommercialsoftwareproductsthatrequireappropriatelicensestooperateinthecloud.AWSofferstwolicensingmodels:LicenseIncludedandBringYourOwnLicense(BYOL).

LicenseIncludedIntheLicenseIncludedmodel,thelicenseisheldbyAWSandisincludedintheAmazonRDSinstanceprice.ForOracle,LicenseIncludedprovideslicensingforStandardEditionOne.ForSQLServer,LicenseIncludedprovideslicensingforSQLServerExpressEdition,WebEdition,andStandardEdition.

BringYourOwnLicense(BYOL)IntheBYOLmodel,youprovideyourownlicense.ForOracle,youmusthavetheappropriateOracleDatabaselicensefortheDBInstanceclassandOracleDatabaseeditionyouwanttorun.YoucanbringoverStandardEditionOne,StandardEdition,andEnterpriseEdition.

ForSQLServer,youprovideyourownlicenseundertheMicrosoftLicenseMobilityprogram.YoucanbringoverMicrosoftSQLStandardEditionandalsoEnterpriseEdition.Youareresponsiblefortrackingandmanaginghowlicensesareallocated.

AmazonAuroraAmazonAuroraoffersenterprise-gradecommercialdatabasetechnologywhileofferingthesimplicityandcosteffectivenessofanopensourcedatabase.ThisisachievedbyredesigningtheinternalcomponentsofMySQLtotakeamoreservice-orientedapproach.

LikeotherAmazonRDSengines,AmazonAuroraisafullymanagedservice,isMySQL-compatibleoutofthebox,andprovidesforincreasedreliabilityandperformanceoverstandardMySQLdeployments.AmazonAuroracandeliveruptofivetimestheperformanceofMySQLwithoutrequiringchangestomostofyourexistingwebapplications.Youcanusethesamecode,tools,andapplicationsthatyouusewithyourexistingMySQLdatabaseswithAmazonAurora.

WhenyoufirstcreateanAmazonAurorainstance,youcreateaDBcluster.ADBclusterhasoneormoreinstancesandincludesaclustervolumethatmanagesthedataforthoseinstances.AnAmazonAuroraclustervolumeisavirtualdatabasestoragevolumethatspansmultipleAvailabilityZones,witheachAvailabilityZonehavingacopyoftheclusterdata.AnAmazonAuroraDBclusterconsistsoftwodifferenttypesofinstances:

PrimaryInstanceThisisthemaininstance,whichsupportsbothreadandwriteworkloads.Whenyoumodifyyourdata,youaremodifyingtheprimaryinstance.EachAmazonAuroraDBclusterhasoneprimaryinstance.

AmazonAuroraReplicaThisisasecondaryinstancethatsupportsonlyreadoperations.EachDBclustercanhaveupto15AmazonAuroraReplicasinadditiontotheprimaryinstance.ByusingmultipleAmazonAuroraReplicas,youcandistributethereadworkloadamongvariousinstances,increasingperformance.YoucanalsolocateyourAmazonAuroraReplicasinmultipleAvailabilityZonestoincreaseyourdatabaseavailability.

StorageOptionsAmazonRDSisbuiltusingAmazonElasticBlockStore(AmazonEBS)andallowsyoutoselecttherightstorageoptionbasedonyourperformanceandcostrequirements.Dependingonthedatabaseengineandworkload,youcanscaleupto4to6TBinprovisionedstorageandupto30,000IOPS.AmazonRDSsupportsthreestoragetypes:Magnetic,GeneralPurpose(SolidStateDrive[SSD]),andProvisionedIOPS(SSD).Table7.5highlightstherelativesize,performance,andcostdifferencesbetweentypes.

TABLE7.5AmazonRDSStorageTypes

Magnetic GeneralPurpose(SSD) ProvisionedIOPS(SSD)

Size +++ +++++ +++++

Performance + +++ +++++

Cost ++ +++ +++++

MagneticMagneticstorage,alsocalledstandardstorage,offerscost-effectivestoragethatisidealforapplicationswithlightI/Orequirements.

GeneralPurpose(SSD)Generalpurpose(SSD)-backedstorage,alsocalledgp2,canprovidefasteraccessthanmagneticstorage.Thisstoragetypecanprovideburstperformancetomeetspikesandisexcellentforsmall-tomedium-sizeddatabases.

ProvisionedIOPS(SSD)ProvisionedIOPS(SSD)storageisdesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloads,thataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.

Formostapplications,GeneralPurpose(SSD)isthebestoptionandprovidesagoodmixoflower-costandhigher-performancecharacteristics.

BackupandRecoveryAmazonRDSprovidesaconsistentoperationalmodelforbackupandrecoveryproceduresacrossthedifferentdatabaseengines.AmazonRDSprovidestwomechanismsforbackingupthedatabase:automatedbackupsandmanualsnapshots.Byusingacombinationofbothtechniques,youcandesignabackuprecoverymodeltoprotectyourapplicationdata.

EachorganizationtypicallywilldefineaRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)forimportantapplicationsbasedonthecriticalityoftheapplicationandtheexpectationsoftheusers.It’scommonforenterprisesystemstohaveanRPOmeasuredinminutesandanRTOmeasuredinhoursorevendays,whilesomecriticalapplicationsmayhavemuchlowertolerances.

RPOisdefinedasthemaximumperiodofdatalossthatisacceptableintheeventofafailureorincident.Forexample,manysystemsbackuptransactionlogsevery15minutestoallowthemtominimizedatalossintheeventofanaccidentaldeletionorhardwarefailure.

RTOisdefinedasthemaximumamountofdowntimethatispermittedtorecoverfrombackupandtoresumeprocessing.Forlargedatabasesinparticular,itcantakehourstorestorefromafullbackup.Intheeventofahardwarefailure,youcanreduceyourRTOtominutesbyfailingovertoasecondarynode.Youshouldcreatearecoveryplanthat,ataminimum,letsyourecoverfromarecentbackup.

AutomatedBackupsAnautomatedbackupisanAmazonRDSfeaturethatcontinuouslytrackschangesandbacksupyourdatabase.AmazonRDScreatesastoragevolumesnapshotofyourDBInstance,backinguptheentireDBInstanceandnotjustindividualdatabases.YoucansetthebackupretentionperiodwhenyoucreateaDBInstance.Onedayofbackupswillberetainedbydefault,butyoucanmodifytheretentionperioduptoamaximumof35days.KeepinmindthatwhenyoudeleteaDBInstance,allautomatedbackupsnapshotsaredeletedandcannotberecovered.Manualsnapshots,however,arenotdeleted.

Automatedbackupswilloccurdailyduringaconfigurable30-minutemaintenancewindowcalledthebackupwindow.Automatedbackupsarekeptforaconfigurablenumberofdays,calledthebackupretentionperiod.YoucanrestoreyourDBInstancetoanyspecifictimeduringthisretentionperiod,creatinganewDBInstance.

ManualDBSnapshotsInadditiontoautomatedbackups,youcanperformmanualDBsnapshotsatanytime.ADBsnapshotisinitiatedbyyouandcanbecreatedasfrequentlyasyouwant.YoucanthenrestoretheDBInstancetothespecificstateintheDBsnapshotatanytime.DBsnapshotscanbecreatedwiththeAmazonRDSconsoleortheCreateDBSnapshotaction.Unlikeautomatedsnapshotsthataredeletedaftertheretentionperiod,manualDBsnapshotsarekeptuntilyouexplicitlydeletethemwiththeAmazonRDSconsoleortheDeleteDBSnapshotaction.

Forbusydatabases,useMulti-AZtominimizetheperformanceimpactofasnapshot.Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup,andyoumayexperienceelevatedlatency.ThisI/Osuspensiontypicallylastsforthedurationofthesnapshot.ThisperiodofI/OsuspensionisshorterforMulti-AZDBdeploymentsbecausethebackupistakenfromthestandby,butlatencycanoccurduringthebackupprocess.

RecoveryAmazonRDSallowsyoutorecoveryourdatabasequicklywhetheryouareperformingautomatedbackupsormanualDBsnapshots.YoucannotrestorefromaDBsnapshottoanexistingDBInstance;anewDBInstanceiscreatedwhenyourestore.WhenyourestoreaDBInstance,onlythedefaultDBparameterandsecuritygroupsareassociatedwiththerestored

instance.Assoonastherestoreiscomplete,youshouldassociateanycustomDBparameterorsecuritygroupsusedbytheinstancefromwhichyourestored.Whenusingautomatedbackups,AmazonRDScombinesthedailybackupsperformedduringyourpredefinedmaintenancewindowinconjunctionwithtransactionlogstoenableyoutorestoreyourDBInstancetoanypointduringyourretentionperiod,typicallyuptothelastfiveminutes.

HighAvailabilitywithMulti-AZOneofthemostpowerfulfeaturesofAmazonRDSisMulti-AZdeployments,whichallowsyoutocreateadatabaseclusteracrossmultipleAvailabilityZones.Settinguparelationaldatabasetoruninahighlyavailableandfault-tolerantfashionisachallengingtask.WithAmazonRDSMulti-AZ,youcanreducethecomplexityinvolvedwiththiscommonadministrativetask;withasingleoption,AmazonRDScanincreasetheavailabilityofyourdatabaseusingreplication.Multi-AZletsyoumeetthemostdemandingRPOandRTOtargetsbyusingsynchronousreplicationtominimizeRPOandfastfailovertominimizeRTOtominutes.

Multi-AZallowsyoutoplaceasecondarycopyofyourdatabaseinanotherAvailabilityZonefordisasterrecoverypurposes.Multi-AZdeploymentsareavailableforalltypesofAmazonRDSdatabaseengines.WhenyoucreateaMulti-AZDBInstance,aprimaryinstanceiscreatedinoneAvailabilityZoneandasecondaryinstanceiscreatedinanotherAvailabilityZone.Youareassignedadatabaseinstanceendpointsuchasthefollowing:

my_app_db.ch6fe7ykq1zd.us-west-2.rds.amazonaws.com

ThisendpointisaDomainNameSystem(DNS)namethatAWStakesresponsibilityforresolvingtoaspecificIPaddress.YouusethisDNSnamewhencreatingtheconnectiontoyourdatabase.Figure7.1illustratesatypicalMulti-AZdeploymentspanningtwoAvailabilityZones.

FIGURE7.1Multi-AZAmazonRDSarchitecture

AmazonRDSautomaticallyreplicatesthedatafromthemasterdatabaseorprimaryinstancetotheslavedatabaseorsecondaryinstanceusingsynchronousreplication.EachAvailabilityZonerunsonitsownphysicallydistinct,independentinfrastructureandisengineeredtobehighlyreliable.AmazonRDSdetectsandautomaticallyrecoversfromthemostcommonfailurescenariosforMulti-AZdeploymentssothatyoucanresumedatabaseoperationsasquicklyaspossiblewithoutadministrativeintervention.AmazonRDSautomaticallyperformsafailoverintheeventofanyofthefollowing:

LossofavailabilityinprimaryAvailabilityZone

Lossofnetworkconnectivitytoprimarydatabase

Computeunitfailureonprimarydatabase

Storagefailureonprimarydatabase

AmazonRDSwillautomaticallyfailovertothestandbyinstancewithoutuserintervention.TheDNSnameremainsthesame,buttheAmazonRDSservicechangestheCNAMEtopointtothestandby.TheprimaryDBInstanceswitchesoverautomaticallytothestandbyreplicaiftherewasanAvailabilityZoneservicedisruption,iftheprimaryDBInstancefails,oriftheinstancetypeischanged.YoucanalsoperformamanualfailoveroftheDBInstance.Failover

betweentheprimaryandthesecondaryinstanceisfast,andthetimeautomaticfailovertakestocompleteistypicallyonetotwominutes.

ItisimportanttorememberthatMulti-AZdeploymentsarefordisasterrecoveryonly;theyarenotmeanttoenhancedatabaseperformance.ThestandbyDBInstanceisnotavailabletoofflinequeriesfromtheprimarymasterDBInstance.ToimprovedatabaseperformanceusingmultipleDBInstances,usereadreplicasorotherDBcachingtechnologiessuchasAmazonElastiCache.

ScalingUpandOutAsthenumberoftransactionsincreasetoarelationaldatabase,scalingup,orvertically,bygettingalargermachineallowsyoutoprocessmorereadsandwrites.Scalingout,orhorizontally,isalsopossible,butitisoftenmoredifficult.AmazonRDSallowsyoutoscalecomputeandstoragevertically,andforsomeDBengines,youcanscalehorizontally.

VerticalScalabilityAddingadditionalcompute,memory,orstorageresourcestoyourdatabaseallowsyoutoprocessmoretransactions,runmorequeries,andstoremoredata.AmazonRDSmakesiteasytoscaleupordownyourdatabasetiertomeetthedemandsofyourapplication.ChangescanbescheduledtooccurduringthenextmaintenancewindowortobeginimmediatelyusingtheModifyDBInstanceaction.

Tochangetheamountofcomputeandmemory,youcanselectadifferentDBInstanceclassofthedatabase.AfteryouselectalargerorsmallerDBInstanceclass,AmazonRDSautomatesthemigrationprocesstoanewclasswithonlyashortdisruptionandminimaleffort.

Youcanalsoincreasetheamountofstorage,thestorageclass,andthestorageperformanceforanAmazonRDSInstance.Eachdatabaseinstancecanscalefrom5GBupto6TBinprovisionedstoragedependingonthestoragetypeandengine.StorageforAmazonRDScanbeincreasedovertimeasneedsgrowwithminimalimpacttotherunningdatabase.StorageexpansionissupportedforallofthedatabaseenginesexceptforSQLServer.

HorizontalScalabilitywithPartitioningArelationaldatabasecanbescaledverticallyonlysomuchbeforeyoureachthemaximuminstancesize.Partitioningalargerelationaldatabaseintomultipleinstancesorshardsisacommontechniqueforhandlingmorerequestsbeyondthecapabilitiesofasingleinstance.

Partitioning,orsharding,allowsyoutoscalehorizontallytohandlemoreusersandrequestsbutrequiresadditionallogicintheapplicationlayer.Theapplicationneedstodecidehowtoroutedatabaserequeststothecorrectshardandbecomeslimitedinthetypesofqueriesthatcanbeperformedacrossserverboundaries.NoSQLdatabaseslikeAmazonDynamoDBorCassandraaredesignedtoscalehorizontally.

HorizontalScalabilitywithReadReplicas

Anotherimportantscalingtechniqueistousereadreplicastooffloadreadtransactionsfromtheprimarydatabaseandincreasetheoverallnumberoftransactions.AmazonRDSsupportsreadreplicasthatallowyoutoscaleoutelasticallybeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads.

ThereareavarietyofusecaseswheredeployingoneormorereadreplicaDBInstancesishelpful.Somecommonscenariosinclude:

ScalebeyondthecapacityofasingleDBInstanceforread-heavyworkloads.

HandlereadtrafficwhilethesourceDBInstanceisunavailable.Forexample,duetoI/Osuspensionforbackupsorscheduledmaintenance,youcandirectreadtraffictoareplica.

OffloadreportingordatawarehousingscenariosagainstareplicainsteadoftheprimaryDBInstance.

Forexample,abloggingwebsitemayhaveverylittlewriteactivityexceptfortheoccasionalcomment,andthevastmajorityofdatabaseactivitywillberead-only.Byoffloadingsomeorallofthereadactivitytooneormorereadreplicas,theprimarydatabaseinstancecanfocusonhandlingthewritesandreplicatingthedataouttothereplicas.

ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,MariaDB,andAmazonAurora.AmazonRDSusestheMySQL,MariaDB,andPostgreSQLDBengines’built-inreplicationfunctionalitytocreateaspecialtypeofDBInstance,calledareadreplica,fromasourceDBInstance.UpdatesmadetothesourceDBInstanceareasynchronouslycopiedtothereadreplica.YoucanreducetheloadonyoursourceDBInstancebyroutingreadqueriesfromyourapplicationstothereadreplica.

YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.Toenhanceyourdisasterrecoverycapabilitiesorreducegloballatencies,youcanusecross-regionreadreplicastoservereadtrafficfromaregionclosesttoyourglobalusersormigrateyourdatabasesacrossAWSRegions.

SecuritySecuringyourAmazonRDSDBInstancesandrelationaldatabasesrequiresacomprehensiveplanthataddressesthemanylayerscommonlyfoundindatabase-drivensystems.Thisincludestheinfrastructureresources,thedatabase,andthenetwork.

ProtectaccesstoyourinfrastructureresourcesusingAWSIdentityandAccessManagement(IAM)policiesthatlimitwhichactionsAWSadministratorscanperform.Forexample,somekeyadministratoractionsthatcanbecontrolledinIAMincludeCreateDBInstanceandDeleteDBInstance.

AnothersecuritybestpracticeistodeployyourAmazonRDSDBInstancesintoaprivatesubnetwithinanAmazonVirtualPrivateCloud(AmazonVPC)thatlimitsnetworkaccesstotheDBInstance.BeforeyoucandeployintoanAmazonVPC,youmustfirstcreateaDBsubnetgroupthatpredefineswhichsubnetsareavailableforAmazonRDSdeployments.Further,restrictnetworkaccessusingnetworkAccessControlLists(ACLs)andsecuritygroupstolimitinboundtraffictoashortlistofsourceIPaddresses.

Atthedatabaselevel,youwillalsoneedtocreateusersandgrantthempermissionstoreadandwritetoyourdatabases.Accesstothedatabaseiscontrolledusingthedatabaseengine-specificaccesscontrolandusermanagementmechanisms.Createusersatthedatabaselevelwithstrongpasswordsthatyourotatefrequently.

Finally,protecttheconfidentialityofyourdataintransitandatrestwithmultipleencryptioncapabilitiesprovidedwithAmazonRDS.Securityfeaturesvaryslightlyfromoneenginetoanother,butallenginessupportsomeformofin-transitencryptionandalsoat-restencryption.YoucansecurelyconnectaclienttoarunningDBInstanceusingSecureSocketsLayer(SSL)toprotectdataintransit.EncryptionatrestispossibleforallenginesusingtheAmazonKeyManagementService(KMS)orTransparentDataEncryption(TDE).Alllogs,backups,andsnapshotsareencryptedforanencryptedAmazonRDSinstance.

AmazonRedshiftAmazonRedshiftisafast,powerful,fullymanaged,petabyte-scaledatawarehouseserviceinthecloud.AmazonRedshiftisarelationaldatabasedesignedforOLAPscenariosandoptimizedforhigh-performanceanalysisandreportingofverylargedatasets.Traditionaldatawarehousesaredifficultandexpensivetomanage,especiallyforlargedatasets.AmazonRedshiftnotonlysignificantlylowersthecostofadatawarehouse,butitalsomakesiteasytoanalyzelargeamountsofdataveryquickly.

AmazonRedshiftgivesyoufastqueryingcapabilitiesoverstructureddatausingstandardSQLcommandstosupportinteractivequeryingoverlargedatasets.WithconnectivityviaODBCorJDBC,AmazonRedshiftintegrateswellwithvariousdataloading,reporting,datamining,andanalyticstools.AmazonRedshiftisbasedonindustry-standardPostgreSQL,somostexistingSQLclientapplicationswillworkwithonlyminimalchanges.

AmazonRedshiftmanagestheworkneededtosetup,operate,andscaleadatawarehouse,fromprovisioningtheinfrastructurecapacitytoautomatingongoingadministrativetaskssuchasbackupsandpatching.AmazonRedshiftautomaticallymonitorsyournodesanddrivestohelpyourecoverfromfailures.

ClustersandNodesThekeycomponentofanAmazonRedshiftdatawarehouseisacluster.Aclusteriscomposedofaleadernodeandoneormorecomputenodes.Theclientapplicationinteractsdirectlyonlywiththeleadernode,andthecomputenodesaretransparenttoexternalapplications.

AmazonRedshiftcurrentlyhassupportforsixdifferentnodetypesandeachhasadifferentmixofCPU,memory,andstorage.Thesixnodetypesaregroupedintotwocategories:DenseComputeandDenseStorage.TheDenseComputenodetypessupportclustersupto326TBusingfastSSDs,whiletheDenseStoragenodessupportclustersupto2PBusinglargemagneticdisks.Eachclusterconsistsofoneleadernodeandoneormorecomputenodes.Figure7.2showstheinternalcomponentsofanAmazonRedshiftdatawarehousecluster.

FIGURE7.2AmazonRedshiftclusterarchitecture

Eachclustercontainsoneormoredatabases.Userdataforeachtableisdistributedacrossthecomputenodes.YourapplicationorSQLclientcommunicateswithAmazonRedshiftusingstandardJDBCorODBCconnectionswiththeleadernode,whichinturncoordinatesqueryexecutionwiththecomputenodes.Yourapplicationdoesnotinteractdirectlywiththecomputenodes.

Thediskstorageforacomputenodeisdividedintoanumberofslices.Thenumberofslicespernodedependsonthenodesizeoftheclusterandtypicallyvariesbetween2and16.Thenodesallparticipateinparallelqueryexecution,workingondatathatisdistributedasevenlyaspossibleacrosstheslices.

Youcanincreasequeryperformancebyaddingmultiplenodestoacluster.Whenyousubmitaquery,AmazonRedshiftdistributesandexecutesthequeryinparallelacrossallofacluster’scomputenodes.AmazonRedshiftalsospreadsyourtabledataacrossallcomputenodesinaclusterbasedonadistributionstrategythatyouspecify.Thispartitioningofdataacrossmultiplecomputeresourcesallowsyoutoachievehighlevelsofperformance.

AmazonRedshiftallowsyoutoresizeaclustertoaddstorageandcomputecapacityovertimeasyourneedsevolve.Youcanalsochangethenodetypeofaclusterandkeeptheoverallsizethesame.Wheneveryouperformaresizeoperation,AmazonRedshiftwillcreateanew

clusterandmigratedatafromtheoldclustertothenewone.Duringaresizeoperation,thedatabasewillbecomeread-onlyuntiltheoperationisfinished.

TableDesignEachAmazonRedshiftclustercansupportoneormoredatabases,andeachdatabasecancontainmanytables.LikemostSQL-baseddatabases,youcancreateatableusingtheCREATETABLEcommand.Thiscommandspecifiesthenameofthetable,thecolumns,andtheirdatatypes.Inadditiontocolumnsanddatatypes,theAmazonRedshiftCREATETABLEcommandalsosupportsspecifyingcompressionencodings,distributionstrategy,andsortkeys.

DataTypesAmazonRedshiftcolumnssupportawiderangeofdatatypes.ThisincludescommonnumericdatatypeslikeINTEGER,DECIMAL,andDOUBLE,textdatatypeslikeCHARandVARCHAR,anddatedatatypeslikeDATEandTIMESTAMP.AdditionalcolumnscanbeaddedtoatableusingtheALTERTABLEcommand;however,existingcolumnscannotbemodified.

CompressionEncodingOneofthekeyperformanceoptimizationsusedbyAmazonRedshiftisdatacompression.Whenloadingdataforthefirsttimeintoanemptytable,AmazonRedshiftwillautomaticallysampleyourdataandselectthebestcompressionschemeforeachcolumn.Alternatively,youcanspecifycompressionencodingonaper-columnbasisaspartoftheCREATETABLEcommand.

DistributionStrategyOneoftheprimarydecisionswhencreatingatableinAmazonRedshiftishowtodistributetherecordsacrossthenodesandslicesinacluster.YoucanconfigurethedistributionstyleofatabletogiveAmazonRedshifthintsastohowthedatashouldbepartitionedtobestmeetyourquerypatterns.Whenyourunaquery,theoptimizershiftstherowstothecomputenodesasneededtoperformanyjoinsandaggregates.Thegoalinselectingatabledistributionstyleistominimizetheimpactoftheredistributionstepbyputtingthedatawhereitneedstobebeforethequeryisperformed.

Thedatadistributionstylethatyouselectforyourdatabasehasabigimpactonqueryperformance,storagerequirements,dataloading,andmaintenance.Bychoosingthebestdistributionstrategyforeachtable,youcanbalanceyourdatadistributionandsignificantlyimproveoverallsystemperformance.Whencreatingatable,youcanchoosebetweenoneofthreedistributionstyles:EVEN,KEY,orALL.

EVENdistributionThisisthedefaultoptionandresultsinthedatabeingdistributedacrosstheslicesinauniformfashionregardlessofthedata.

KEYdistributionWithKEYdistribution,therowsaredistributedaccordingtothevaluesinonecolumn.Theleadernodewillstorematchingvaluesclosetogetherandincreasequeryperformanceforjoins.

ALLdistributionWithALL,afullcopyoftheentiretableisdistributedtoeverynode.Thisisusefulforlookuptablesandotherlargetablesthatarenotupdatedfrequently.

SortKeysAnotherimportantdecisiontomakeduringthecreationofatableiswhethertospecifyoneormorecolumnsassortkeys.Sortingenablesefficienthandlingofrange-restrictedpredicates.Ifaqueryusesarange-restrictedpredicate,thequeryprocessorcanrapidlyskipoverlargenumbersofblocksduringtablescans.

Thesortkeysforatablecanbeeithercompoundorinterleaved.Acompoundsortkeyismoreefficientwhenquerypredicatesuseaprefix,whichisasubsetofthesortkeycolumnsinorder.Aninterleavedsortkeygivesequalweighttoeachcolumninthesortkey,soquerypredicatescanuseanysubsetofthecolumnsthatmakeupthesortkey,inanyorder.

LoadingDataAmazonRedshiftsupportsstandardSQLcommandslikeINSERTandUPDATEtocreateandmodifyrecordsinatable.Forbulkoperations,however,AmazonRedshiftprovidestheCOPYcommandasamuchmoreefficientalternativethanrepeatedlycallingINSERT.

ACOPYcommandcanloaddataintoatableinthemostefficientmanner,anditsupportsmultipletypesofinputdatasources.ThefastestwaytoloaddataintoAmazonRedshiftisdoingbulkdataloadsfromflatfilesstoredinanAmazonSimpleStorageService(AmazonS3)bucketorfromanAmazonDynamoDBtable.

WhenloadingdatafromAmazonS3,theCOPYcommandcanreadfrommultiplefilesatthesametime.AmazonRedshiftcandistributetheworkloadtothenodesandperformtheloadprocessinparallel.Insteadofhavingonesinglelargefilewithyourdata,youcanenableparallelprocessingbyhavingaclusterwithmultiplenodesandmultipleinputfiles.

Aftereachbulkdataloadthatmodifiesasignificantamountofdata,youwillneedtoperformaVACUUMcommandtoreorganizeyourdataandreclaimspaceafterdeletes.ItisalsorecommendedtorunanANALYZEcommandtoupdatetablestatistics.

DatacanalsobeexportedoutofAmazonRedshiftusingtheUNLOADcommand.ThiscommandcanbeusedtogeneratedelimitedtextfilesandstoretheminAmazonS3.

QueryingDataAmazonRedshiftallowsyoutowritestandardSQLcommandstoqueryyourtables.BysupportingcommandslikeSELECTtoqueryandjointables,analystscanquicklybecomeproductiveusingAmazonRedshiftorintegrateiteasily.Forcomplexqueries,youcananalyzethequeryplantobetteroptimizeyouraccesspattern.YoucanmonitortheperformanceoftheclusterandspecificqueriesusingAmazonCloudWatchandtheAmazonRedshiftwebconsole.

ForlargeAmazonRedshiftclusterssupportingmanyusers,youcanconfigureWorkloadManagement(WLM)toqueueandprioritizequeries.WLMallowsyoudefinemultiplequeuesandsettheconcurrencylevelforeachqueue.Forexample,youmightwanttohaveonequeuesetupforlong-runningqueriesandlimittheconcurrencyandanotherqueueforshort-runningqueriesandallowhigherlevelsofconcurrency.

SnapshotsSimilartoAmazonRDS,youcancreatepoint-in-timesnapshotsofyourAmazonRedshiftcluster.AsnapshotcanthenbeusedtorestoreacopyorcreateacloneofyouroriginalAmazonRedshiftcluster.SnapshotsaredurablystoredinternallyinAmazonS3byAmazonRedshift.

AmazonRedshiftsupportsbothautomatedsnapshotsandmanualsnapshots.Withautomatedsnapshots,AmazonRedshiftwillperiodicallytakesnapshotsofyourclusterandkeepacopyforaconfigurableretentionperiod.YoucanalsoperformmanualsnapshotsandsharethemacrossregionsorevenwithotherAWSaccounts.Manualsnapshotsareretaineduntilyouexplicitlydeletethem.

SecuritySecuringyourAmazonRedshiftclusterissimilartosecuringotherdatabasesrunninginthecloud.Yoursecurityplanshouldincludecontrolstoprotecttheinfrastructureresources,thedatabaseschema,therecordsinthetable,andnetworkaccess.Byaddressingsecurityateverylevel,youcansecurelyoperateanAmazonRedshiftdatawarehouseinthecloud.

ThefirstlayerofsecuritycomesattheinfrastructurelevelusingIAMpoliciesthatlimittheactionsAWSadministratorscanperform.WithIAM,youcancreatepoliciesthatgrantotherAWSusersthepermissiontocreateandmanagethelifecycleofacluster,includingscaling,backup,andrecoveryoperations.

Atthenetworklevel,AmazonRedshiftclusterscanbedeployedwithintheprivateIPaddressspaceofyourAmazonVPCtorestrictoverallnetworkconnectivity.Fine-grainednetworkaccesscanbefurtherrestrictedusingsecuritygroupsandnetworkACLsatthesubnetlevel.

Inadditiontocontrollinginfrastructureaccessattheinfrastructurelevel,youmustprotectaccessatthedatabaselevel.WhenyouinitiallycreateanAmazonRedshiftcluster,youwillcreateamasteruseraccountandpassword.ThemasteraccountcanbeusedtologintotheAmazonRedshiftdatabaseandtocreatemoreusersandgroups.Eachdatabaseusercanbegrantedpermissiontoschemas,tables,andotherdatabaseobjects.ThesepermissionsareindependentfromtheIAMpoliciesusedtocontrolaccesstotheinfrastructureresourcesandtheAmazonRedshiftclusterconfiguration.

ProtectingthedatastoredinAmazonRedshiftisanotherimportantaspectofyoursecuritydesign.AmazonRedshiftsupportsencryptionofdataintransitusingSSL-encryptedconnections,andalsoencryptionofdataatrestusingmultipletechniques.Toencryptdataatrest,AmazonRedshiftintegrateswithKMSandAWSCloudHSMforencryptionkeymanagementservices.Encryptionatrestandintransitassistsinmeetingcompliancerequirements,suchasfortheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCIDSS),andprovidesadditionalprotectionsforyourdata.

AmazonDynamoDBAmazonDynamoDBisafullymanagedNoSQLdatabaseservicethatprovidesfastandlow-latencyperformancethatscaleswithease.AmazonDynamoDBletsyouoffloadtheadministrativeburdensofoperatingadistributedNoSQLdatabaseandfocusontheapplication.AmazonDynamoDBsignificantlysimplifiesthehardwareprovisioning,setupandconfiguration,replication,softwarepatching,andclusterscalingofNoSQLdatabases.

AmazonDynamoDBisdesignedtosimplifydatabaseandclustermanagement,provideconsistentlyhighlevelsofperformance,simplifyscalabilitytasks,andimprovereliabilitywithautomaticreplication.DeveloperscancreateatableinAmazonDynamoDBandwriteanunlimitednumberofitemswithconsistentlatency.

AmazonDynamoDBcanprovideconsistentperformancelevelsbyautomaticallydistributingthedataandtrafficforatableovermultiplepartitions.Afteryouconfigureacertainreadorwritecapacity,AmazonDynamoDBwillautomaticallyaddenoughinfrastructurecapacitytosupporttherequestedthroughputlevels.Asyourdemandchangesovertime,youcanadjustthereadorwritecapacityafteratablehasbeencreated,andAmazonDynamoDBwilladdorremoveinfrastructureandadjusttheinternalpartitioningaccordingly.

Tohelpmaintainconsistent,fastperformancelevels,alltabledataisstoredonhigh-performanceSSDdiskdrives.Performancemetrics,includingtransactionsrates,canbemonitoredusingAmazonCloudWatch.Inadditiontoprovidinghigh-performancelevels,AmazonDynamoDBalsoprovidesautomatichigh-availabilityanddurabilityprotectionsbyreplicatingdataacrossmultipleAvailabilityZoneswithinanAWSRegion.

DataModelThebasiccomponentsoftheAmazonDynamoDBdatamodelincludetables,items,andattributes.AsdepictedinFigure7.3,atableisacollectionofitemsandeachitemisacollectionofoneormoreattributes.Eachitemalsohasaprimarykeythatuniquelyidentifiestheitem.

FIGURE7.3Table,items,attributesrelationship

Inarelationaldatabase,atablehasapredefinedschemasuchasthetablename,primarykey,listofitscolumnnames,andtheirdatatypes.Allrecordsstoredinthetablemusthavethesamesetofcolumns.Incontrast,AmazonDynamoDBonlyrequiresthatatablehaveaprimarykey,butitdoesnotrequireyoutodefinealloftheattributenamesanddatatypesinadvance.IndividualitemsinanAmazonDynamoDBtablecanhaveanynumberofattributes,althoughthereisalimitof400KBontheitemsize.

Eachattributeinanitemisaname/valuepair.Anattributecanbeasingle-valuedormulti-valuedset.Forexample,abookitemcanhavetitleandauthorsattributes.Eachbookhasonetitlebutcanhavemanyauthors.Themulti-valuedattributeisaset;duplicatevaluesarenotallowed.DataisstoredinAmazonDynamoDBinkey/valuepairssuchasthefollowing:

{

Id=101

ProductName="Book101Title"

ISBN="123–1234567890"

Authors=["Author1","Author2"]

Price=2.88

Dimensions="8.5x11.0x0.5"

PageCount=500

InPublication=1

ProductCategory="Book"

}

ApplicationscanconnecttotheAmazonDynamoDBserviceendpointandsubmitrequestsoverHTTP/Storeadandwriteitemstoatableoreventocreateanddeletetables.DynamoDBprovidesawebserviceAPIthatacceptsrequestsinJSONformat.WhileyoucouldprogramdirectlyagainstthewebserviceAPIendpoints,mostdeveloperschoosetousetheAWSSoftwareDevelopmentKit(SDK)tointeractwiththeiritemsandtables.TheAWSSDKisavailableinmanydifferentlanguagesandprovidesasimplified,high-levelprogramminginterface.

DataTypes

AmazonDynamoDBgivesyoualotofflexibilitywithyourdatabaseschema.Unlikeatraditionalrelationaldatabasethatrequiresyoutodefineyourcolumntypesaheadoftime,DynamoDBonlyrequiresaprimarykeyattribute.Eachitemthatisaddedtothetablecanthenaddadditionalattributes.Thisgivesyouflexibilityovertimetoexpandyourschemawithouthavingtorebuildtheentiretableanddealwithrecordversiondifferenceswithapplicationlogic.

Whenyoucreateatableorasecondaryindex,youmustspecifythenamesanddatatypesofeachprimarykeyattribute(partitionkeyandsortkey).AmazonDynamoDBsupportsawiderangeofdatatypesforattributes.Datatypesfallintothreemajorcategories:Scalar,Set,orDocument.

ScalarDataTypesAscalartyperepresentsexactlyonevalue.AmazonDynamoDBsupportsthefollowingfivescalartypes:

StringTextandvariablelengthcharactersupto400KB.SupportsUnicodewithUTF8encoding

NumberPositiveornegativenumberwithupto38digitsofprecision

BinaryBinarydata,images,compressedobjectsupto400KBinsize

BooleanBinaryflagrepresentingatrueorfalsevalue

NullRepresentsablank,empty,orunknownstate.String,Number,Binary,Booleancannotbeempty.

SetDataTypesSetsareusefultorepresentauniquelistofoneormorescalarvalues.Eachvalueinasetneedstobeuniqueandmustbethesamedatatype.Setsdonotguaranteeorder.AmazonDynamoDBsupportsthreesettypes:StringSet,NumberSet,andBinarySet.

StringSetUniquelistofStringattributes

NumberSetUniquelistofNumberattributes

BinarySetUniquelistofBinaryattributes

DocumentDataTypesDocumenttypeisusefultorepresentmultiplenestedattributes,similartothestructureofaJSONfile.AmazonDynamoDBsupportstwodocumenttypes:ListandMap.MultipleListsandMapscanbecombinedandnestedtocreatecomplexstructures.

ListEachListcanbeusedtostoreanorderedlistofattributesofdifferentdatatypes.

MapEachMapcanbeusedtostoreanunorderedlistofkey/valuepairs.MapscanbeusedtorepresentthestructureofanyJSONobject.

PrimaryKeyWhenyoucreateatable,youmustspecifytheprimarykeyofthetableinadditiontothetablename.Likearelationaldatabase,theprimarykeyuniquelyidentifieseachiteminthetable.Aprimarykeywillpointtoexactlyoneitem.AmazonDynamoDBsupportstwotypesofprimarykeys,andthisconfigurationcannotbechangedafteratablehasbeencreated:

PartitionKeyTheprimarykeyismadeofoneattribute,apartition(orhash)key.AmazonDynamoDBbuildsanunorderedhashindexonthisprimarykeyattribute.

PartitionandSortKeyTheprimarykeyismadeoftwoattributes.Thefirstattributeisthepartitionkeyandthesecondoneisthesort(orrange)key.Eachiteminthetableisuniquelyidentifiedbythecombinationofitspartitionandsortkeyvalues.Itispossiblefortwoitemstohavethesamepartitionkeyvalue,butthosetwoitemsmusthavedifferentsortkeyvalues.

Furthermore,eachprimarykeyattributemustbedefinedastypestring,number,orbinary.AmazonDynamoDBusesthepartitionkeytodistributetherequesttotherightpartition.

Ifyouareperformingmanyreadsorwritespersecondonthesameprimarykey,youwillnotbeabletofullyusethecomputecapacityoftheAmazonDynamoDBcluster.Abestpracticeistomaximizeyourthroughputbydistributingrequestsacrossthefullrangeofpartitionkeys.

ProvisionedCapacityWhenyoucreateanAmazonDynamoDBtable,youarerequiredtoprovisionacertainamountofreadandwritecapacitytohandleyourexpectedworkloads.Basedonyourconfigurationsettings,DynamoDBwillthenprovisiontherightamountofinfrastructurecapacitytomeetyourrequirementswithsustained,low-latencyresponsetimes.Overallcapacityismeasuredinreadandwritecapacityunits.ThesevaluescanlaterbescaledupordownbyusinganUpdateTableaction.

EachoperationagainstanAmazonDynamoDBtablewillconsumesomeoftheprovisionedcapacityunits.Thespecificamountofcapacityunitsconsumeddependslargelyonthesizeoftheitem,butalsoonotherfactors.Forreadoperations,theamountofcapacityconsumedalsodependsonthereadconsistencyselectedintherequest.Readmoreabouteventualandstrongconsistencylaterinthischapter.

Forexample,givenatablewithoutalocalsecondaryindex,youwillconsume1capacityunitifyoureadanitemthatis4KBorsmaller.Similarly,forwriteoperationsyouwillconsume1capacityunitifyouwriteanitemthatis1KBorsmaller.Thismeansthatifyoureadanitemthatis110KB,youwillconsume28capacityunits,or110/4=27.5roundedupto28.Forreadoperationsthatarestronglyconsistent,theywillusetwicethenumberofcapacityunits,or56inthisexample.

YoucanuseAmazonCloudWatchtomonitoryourAmazonDynamoDBcapacityandmakescalingdecisions.Thereisarichsetofmetrics,includingConsumedReadCapacityUnitsandConsumedWriteCapacityUnits.Ifyoudoexceedyourprovisionedcapacityforaperiodoftime,requestswillbethrottledandcanberetriedlater.YoucanmonitorandalertontheThrottledRequestsmetricusingAmazonCloudWatchtonotifyyouofchangingusagepatterns.

SecondaryIndexesWhenyoucreateatablewithapartitionandsortkey(formerlyknownasahashandrangekey),youcanoptionallydefineoneormoresecondaryindexesonthattable.Asecondaryindexletsyouquerythedatainthetableusinganalternatekey,inadditiontoqueriesagainsttheprimarykey.AmazonDynamoDBsupportstwodifferentkindsofindexes:

GlobalSecondaryIndexTheglobalsecondaryindexisanindexwithapartitionandsortkeythatcanbedifferentfromthoseonthetable.Youcancreateordeleteaglobalsecondaryindexonatableatanytime.

LocalSecondaryIndexThelocalsecondaryindexisanindexthathasthesamepartitionkeyattributeastheprimarykeyofthetable,butadifferentsortkey.Youcanonlycreatealocalsecondaryindexwhenyoucreateatable.

Secondaryindexesallowyoutosearchalargetableefficientlyandavoidanexpensivescanoperationtofinditemswithspecificattributes.Theseindexesallowyoutosupportdifferentqueryaccesspatternsandusecasesbeyondwhatispossiblewithonlyaprimarykey.Whileatablecanonlyhaveonelocalsecondaryindex,youcanhavemultipleglobalsecondaryindexes.

AmazonDynamoDBupdateseachsecondaryindexwhenanitemismodified.Theseupdatesconsumewritecapacityunits.Foralocalsecondaryindex,itemupdateswillconsumewritecapacityunitsfromthemaintable,whileglobalsecondaryindexesmaintaintheirownprovisionedthroughputsettingsseparatefromthetable.

WritingandReadingDataAfteryoucreateatablewithaprimarykeyandindexes,youcanbeginwritingandreadingitemstothetable.AmazonDynamoDBprovidesmultipleoperationsthatletyoucreate,update,anddeleteindividualitems.AmazonDynamoDBalsoprovidesmultiplequeryingoptionsthatletyousearchatableoranindexorretrievebackaspecificitemorabatchofitems.

WritingItemsAmazonDynamoDBprovidesthreeprimaryAPIactionstocreate,update,anddeleteitems:PutItem,UpdateItem,andDeleteItem.UsingthePutItemaction,youcancreateanewitemwithoneormoreattributes.CallstoPutItemwillupdateanexistingitemiftheprimarykeyalreadyexists.PutItemonlyrequiresatablenameandaprimarykey;anyadditionalattributesareoptional.

TheUpdateItemactionwillfindexistingitemsbasedontheprimarykeyandreplacetheattributes.Thisoperationcanbeusefultoonlyupdateasingleattributeandleavetheotherattributesunchanged.UpdateItemcanalsobeusedtocreateitemsiftheydon’talreadyexist.Finally,youcanremoveanitemfromatablebyusingDeleteItemandspecifyingaspecificprimarykey.

TheUpdateItemactionalsoprovidessupportforatomiccounters.Atomiccountersallowyoutoincrementanddecrementavalueandareguaranteedtobeconsistentacrossmultipleconcurrentrequests.Forexample,acounterattributeusedtotracktheoverallscoreofamobilegamecanbeupdatedbymanyclientsatthesametime.

Thesethreeactionsalsosupportconditionalexpressionsthatallowyoutoperformvalidationbeforeanactionisapplied.Forexample,youcanapplyaconditionalexpressiononPutItemthatchecksthatcertainconditionsaremetbeforetheitemiscreated.Thiscanbeusefultopreventaccidentaloverwritesortoenforcesometypeofbusinesslogicchecks.

ReadingItems

Afteranitemhasbeencreated,itcanberetrievedthroughadirectlookupbycallingtheGetItemactionorthroughasearchusingtheQueryorScanaction.GetItemallowsyoutoretrieveanitembasedonitsprimarykey.Alloftheitem’sattributesarereturnedbydefault,andyouhavetheoptiontoselectindividualattributestofilterdowntheresults.

Ifaprimarykeyiscomposedofapartitionkey,theentirepartitionkeyneedstobespecifiedtoretrievetheitem.Iftheprimarykeyisacompositeofapartitionkeyandasortkey,GetItemwillrequireboththepartitionandsortkeyaswell.EachcalltoGetItemconsumesreadcapacityunitsbasedonthesizeoftheitemandtheconsistencyoptionselected.

Bydefault,aGetItemoperationperformsaneventuallyconsistentread.Youcanoptionallyrequestastronglyconsistentreadinstead;thiswillconsumeadditionalreadcapacityunits,butitwillreturnthemostup-to-dateversionoftheitem.

EventualConsistencyWhenreadingitemsfromAmazonDynamoDB,theoperationcanbeeithereventuallyconsistentorstronglyconsistent.AmazonDynamoDBisadistributedsystemthatstoresmultiplecopiesofanitemacrossanAWSRegiontoprovidehighavailabilityandincreaseddurability.WhenanitemisupdatedinAmazonDynamoDB,itstartsreplicatingacrossmultipleservers.BecauseAmazonDynamoDBisadistributedsystem,thereplicationcantakesometimetocomplete.Becauseofthiswerefertothedataasbeingeventuallyconsistent,meaningthatareadrequestimmediatelyafterawriteoperationmightnotshowthelatestchange.Insomecases,theapplicationneedstoguaranteethatthedataisthelatestandAmazonDynamoDBoffersanoptionforstronglyconsistentreads.

EventuallyConsistentReadsWhenyoureaddata,theresponsemightnotreflecttheresultsofarecentlycompletedwriteoperation.Theresponsemightincludesomestaledata.Consistencyacrossallcopiesofthedataisusuallyreachedwithinasecond;ifyourepeatyourreadrequestafterashorttime,theresponsereturnsthelatestdata.

StronglyConsistentReadsWhenyouissueastronglyconsistentreadrequest,AmazonDynamoDBreturnsaresponsewiththemostup-to-datedatathatreflectsupdatesbyallpriorrelatedwriteoperationstowhichAmazonDynamoDBreturnedasuccessfulresponse.Astronglyconsistentreadmightbelessavailableinthecaseofanetworkdelayoroutage.Youcanrequestastronglyconsistentreadresultbyspecifyingoptionalparametersinyourrequest.

BatchOperationsAmazonDynamoDBalsoprovidesseveraloperationsdesignedforworkingwithlargebatchesofitems,includingBatchGetItemandBatchWriteItem.UsingtheBatchWriteItemaction,youcanperformupto25itemcreatesorupdateswithasingleoperation.Thisallowsyoutominimizetheoverheadofeachindividualcallwhenprocessinglargenumbersofitems.

SearchingItemsAmazonDynamoDBalsogivesyoutwooperations,QueryandScan,thatcanbeusedtosearchatableoranindex.AQueryoperationistheprimarysearchoperationyoucanusetofinditemsinatableorasecondaryindexusingonlyprimarykeyattributevalues.EachQueryrequiresapartitionkeyattributenameandadistinctvaluetosearch.Youcanoptionally

provideasortkeyvalueanduseacomparisonoperatortorefinethesearchresults.Resultsareautomaticallysortedbytheprimarykeyandarelimitedto1MB.

IncontrasttoaQuery,aScanoperationwillreadeveryiteminatableorasecondaryindex.Bydefault,aScanoperationreturnsallofthedataattributesforeveryiteminthetableorindex.Eachrequestcanreturnupto1MBofdata.Itemscanbefilteredoutusingexpressions,butthiscanbearesource-intensiveoperation.IftheresultsetforaQueryoraScanexceeds1MB,youcanpagethroughtheresultsin1MBincrements.

Formostoperations,performingaQueryoperationinsteadofaScanoperationwillbethemostefficientoption.PerformingaScanoperationwillresultinafullscanoftheentiretableorsecondaryindex,thenitfiltersoutvaluestoprovidethedesiredresult.UseaQueryoperationwhenpossibleandavoidaScanonalargetableorindexforonlyasmallnumberofitems.

ScalingandPartitioningAmazonDynamoDBisafullymanagedservicethatabstractsawaymostofthecomplexityinvolvedinbuildingandscalingaNoSQLcluster.Youcancreatetablesthatcanscaleuptoholdavirtuallyunlimitednumberofitemswithconsistentlow-latencyperformance.AnAmazonDynamoDBtablecanscalehorizontallythroughtheuseofpartitionstomeetthestorageandperformancerequirementsofyourapplication.Eachindividualpartitionrepresentsaunitofcomputeandstoragecapacity.Awell-designedapplicationwilltakethepartitionstructureofatableintoaccounttodistributereadandwritetransactionsevenlyandachievehightransactionratesatlowlatencies.

AmazonDynamoDBstoresitemsforasingletableacrossmultiplepartitions,asrepresentedinFigure7.4.AmazonDynamoDBdecideswhichpartitiontostoretheiteminbasedonthepartitionkey.Thepartitionkeyisusedtodistributethenewitemamongalloftheavailablepartitions,anditemswiththesamepartitionkeywillbestoredonthesamepartition.

FIGURE7.4Tablepartitioning

Asthenumberofitemsinatablegrows,additionalpartitionscanbeaddedbysplittinganexistingpartition.Theprovisionedthroughputconfiguredforatableisalsodividedevenlyamongthepartitions.Provisionedthroughputallocatedtoapartitionisentirelydedicatedtothatpartition,andthereisnosharingofprovisionedthroughputacrosspartitions.

Whenatableiscreated,AmazonDynamoDBconfiguresthetable’spartitionsbasedonthedesiredreadandwritecapacity.Onesinglepartitioncanholdabout10GBofdataandsupportsamaximumof3,000readcapacityunitsor1,000writecapacityunits.Forpartitionsthatarenotfullyusingtheirprovisionedcapacity,AmazonDynamoDBprovidessomeburstcapacitytohandlespikesintraffic.Aportionofyourunusedcapacitywillbereservedtohandleburstsforshortperiods.

Asstorageorcapacityrequirementschange,AmazonDynamoDBcansplitapartitiontoaccommodatemoredataorhigherprovisionedrequestrates.Afterapartitionissplit,however,itcannotbemergedbacktogether.Keepthisinmindwhenplanningtoincreaseprovisionedcapacitytemporarilyandthenloweritagain.Witheachadditionalpartitionadded,itsshareoftheprovisionedcapacityisreduced.

Toachievethefullamountofrequestthroughputprovisionedforatable,keepyourworkloadspreadevenlyacrossthepartitionkeyvalues.Distributingrequestsacrosspartitionkeyvaluesdistributestherequestsacrosspartitions.Forexample,ifatablehas10,000readcapacityunitsconfiguredbutallofthetrafficishittingonepartitionkey,youwillnotbeabletogetmorethanthe3,000maximumreadcapacityunitsthatonepartitioncansupport.

TomaximizeAmazonDynamoDBthroughput,createtableswithapartitionkeythathasalargenumberofdistinctvaluesandensurethatthevaluesarerequestedfairlyuniformly.Addingarandomelementthatcanbecalculatedorhashedisonecommontechniquetoimprovepartitiondistribution.

SecurityAmazonDynamoDBgivesyougranularcontrolovertheaccessrightsandpermissionsforusersandadministrators.AmazonDynamoDBintegrateswiththeIAMservicetoprovidestrongcontroloverpermissionsusingpolicies.Youcancreateoneormorepoliciesthatallowordenyspecificoperationsonspecifictables.Youcanalsouseconditionstorestrictaccesstoindividualitemsorattributes.

Alloperationsmustfirstbeauthenticatedasavaliduserorusersession.ApplicationsthatneedtoreadandwritefromAmazonDynamoDBneedtoobtainasetoftemporaryorpermanentaccesscontrolkeys.Whilethesekeyscouldbestoredinaconfigurationfile,abestpracticeisforapplicationsrunningonAWStouseIAMAmazonEC2instanceprofilestomanagecredentials.IAMAmazonEC2instanceprofilesorrolesallowyoutoavoidstoringsensitivekeysinconfigurationfilesthatmustthenbesecured.

Formobileapplications,abestpracticeistouseacombinationofwebidentityfederationwiththeAWSSecurityTokenService(AWSSTS)toissuetemporarykeysthatexpireafterashortperiod.

AmazonDynamoDBalsoprovidessupportforfine-grainedaccesscontrolthatcanrestrictaccesstospecificitemswithinatableorevenspecificattributeswithinanitem.Forexample,youmaywanttolimitausertoonlyaccesshisorheritemswithinatableandpreventaccesstoitemsassociatedwithadifferentuser.UsingconditionsinanIAMpolicyallowsyoutorestrictwhichactionsausercanperform,onwhichtables,andtowhichattributesausercanreadorwrite.

AmazonDynamoDBStreamsAcommonrequirementformanyapplicationsistokeeptrackofrecentchangesandthenperformsomekindofprocessingonthechangedrecords.AmazonDynamoDBStreamsmakesiteasytogetalistofitemmodificationsforthelast24-hourperiod.Forexample,youmightneedtocalculatemetricsonarollingbasisandupdateadashboard,ormaybesynchronizetwotablesorlogactivityandchangestoanaudittrail.WithAmazonDynamoDBStreams,thesetypesofapplicationsbecomeeasiertobuild.

AmazonDynamoDBStreamsallowsyoutoextendapplicationfunctionalitywithoutmodifyingtheoriginalapplication.Byreadingthelogofactivitychangesfromthestream,youcanbuildnewintegrationsorsupportnewreportingrequirementsthatweren’tpartoftheoriginaldesign.

Eachitemchangeisbufferedinatime-orderedsequenceorstreamthatcanbereadbyotherapplications.Changesareloggedtothestreaminnearreal-timeandallowyoutorespondquicklyorchaintogetherasequenceofeventsbasedonamodification.

StreamscanbeenabledordisabledforanAmazonDynamoDBtableusingtheAWSManagementConsole,CommandLineInterface(CLI),orSDK.Astreamconsistsofstreamrecords.EachstreamrecordrepresentsasingledatamodificationintheAmazonDynamoDBtabletowhichthestreambelongs.Eachstreamrecordisassignedasequencenumber,reflectingtheorderinwhichtherecordwaspublishedtothestream.

Streamrecordsareorganizedintogroups,alsoreferredtoasshards.Eachshardactsasacontainerformultiplestreamrecordsandcontainsinformationonaccessinganditeratingthroughtherecords.Shardsliveforamaximumof24hoursand,withfluctuatingloadlevels,couldbesplitoneormoretimesbeforetheyareeventuallyclosed.

Tobuildanapplicationthatreadsfromashard,itisrecommendedtousetheAmazonDynamoDBStreamsKinesisAdapter.TheKinesisClientLibrary(KCL)simplifiestheapplicationlogicrequiredtoprocessreadingrecordsfromstreamsandshards.

SummaryInthischapter,youlearnedthebasicconceptsofrelationaldatabases,datawarehouses,andNoSQLdatabases.YoualsolearnedaboutthebenefitsandfeaturesofAWSmanageddatabaseservicesAmazonRDS,AmazonRedshift,andAmazonDynamoDB.

AmazonRDSmanagestheheavyliftinginvolvedinadministeringadatabaseinfrastructureandsoftwareandletsyoufocusonbuildingtherelationalschemasthatbestfityourusecaseandtheperformancetuningtooptimizeyourqueries.

AmazonRDSsupportspopularopen-sourceandcommercialdatabaseenginesandprovidesaconsistentoperationalmodelforcommonadministrativetasks.Increaseyouravailabilitybyrunningamaster-slaveconfigurationacrossAvailabilityZonesusingMulti-AZdeployment.Scaleyourapplicationandincreaseyourdatabasereadperformanceusingreadreplicas.

AmazonRedshiftallowsyoutodeployadatawarehouseclusterthatisoptimizedforanalyticsandreportingworkloadswithinminutes.AmazonRedshiftdistributesyourrecordsusingcolumnarstorageandparallelizesyourqueryexecutionacrossmultiplecomputenodestodeliverfastqueryperformance.AmazonRedshiftclusterscanbescaledupordowntosupportlarge,petabyte-scaledatabasesusingSSDormagneticdiskstorage.

ConnecttoAmazonRedshiftclustersusingstandardSQLclientswithJDBC/ODBCdriversandexecuteSQLqueriesusingmanyofthesameanalyticsandETLtoolsthatyouusetoday.LoaddataintoyourAmazonRedshiftclustersusingtheCOPYcommandtobulkimportflatfilesstoredinAmazonS3,thenrunstandardSELECTcommandstosearchandquerythetable.

BackupbothyourAmazonRDSdatabasesandAmazonRedshiftclustersusingautomatedandmanualsnapshotstoallowforpoint-in-timerecovery.SecureyourAmazonRDSandAmazonRedshiftdatabasesusingacombinationofIAM,database-levelaccesscontrol,network-levelaccesscontrol,anddataencryptiontechniques.

AmazonDynamoDBsimplifiestheadministrationandoperationsofaNoSQLdatabaseinthecloud.AmazonDynamoDBallowsyoutocreatetablesquicklythatcanscaletoanunlimitednumberofitemsandconfigureveryhighlevelsofprovisionedreadandwritecapacity.

AmazonDynamoDBtablesprovideaflexibledatastoragemechanismthatonlyrequiresaprimarykeyandallowsforoneormoreattributes.AmazonDynamoDBsupportsbothsimplescalardatatypeslikeStringandNumber,andalsomorecomplexstructuresusingListandMap.SecureyourAmazonDynamoDBtablesusingIAMandrestrictaccesstoitemsandattributesusingfine-grainedaccesscontrol.

AmazonDynamoDBwillhandlethedifficulttaskofclusterandpartitionmanagementandprovideyouwithahighlyavailabledatabasetablethatreplicatesdataacrossAvailabilityZonesforincreaseddurability.TrackandprocessrecentchangesbytappingintoAmazonDynamoDBStreams.

ExamEssentialsKnowwhatarelationaldatabaseis.Arelationaldatabaseconsistsofoneormoretables.CommunicationtoandfromrelationaldatabasesusuallyinvolvessimpleSQLqueries,suchas“Addanewrecord,”or“Whatisthecostofproductx?”ThesesimplequeriesareoftenreferredtoasOLTP.

UnderstandwhichdatabasesaresupportedbyAmazonRDS.AmazonRDScurrentlysupportssixrelationaldatabaseengines:

MicrosoftSQLServer

MySQLServer

Oracle

PostgreSQL

MariaDB

AmazonAurora

UnderstandtheoperationalbenefitsofusingAmazonRDS.AmazonRDSisamanagedserviceprovidedbyAWS.AWSisresponsibleforpatching,antivirus,andmanagementoftheunderlyingguestOSforAmazonRDS.AmazonRDSgreatlysimplifiestheprocessofsettingasecondaryslavewithreplicationforfailoverandsettingupreadreplicastooffloadqueries.

RememberthatyoucannotaccesstheunderlyingOSforAmazonRDSDBinstances.YoucannotuseRemoteDesktopProtocol(RDP)orSSHtoconnecttotheunderlyingOS.IfyouneedtoaccesstheOS,installcustomsoftwareoragents,orwanttouseadatabaseenginenotsupportedbyAmazonRDS,considerrunningyourdatabaseonAmazonEC2instead.

KnowthatyoucanincreaseavailabilityusingAmazonRDSMulti-AZdeployment.AddfaulttolerancetoyourAmazonRDSdatabaseusingMulti-AZdeployment.YoucanquicklysetupasecondaryDBInstanceinanotherAvailabilityZonewithMulti-AZforrapidfailover.

UnderstandtheimportanceofRPOandRTO.EachapplicationshouldsetRPOandRTOtargetstodefinetheamountofacceptabledatalossandalsotheamountoftimerequiredtorecoverfromanincident.AmazonRDScanbeusedtomeetawiderangeofRPOandRTOrequirements.

UnderstandthatAmazonRDShandlesMulti-AZfailoverforyou.IfyourprimaryAmazonRDSInstancebecomesunavailable,AWSfailsovertoyoursecondaryinstanceinanotherAvailabilityZoneautomatically.ThisfailoverisdonebypointingyourexistingdatabaseendpointtoanewIPaddress.Youdonothavetochangetheconnectionstringmanually;AWShandlestheDNSchangeautomatically.

RememberthatAmazonRDSreadreplicasareusedforscalingoutandincreasedperformance.Thisreplicationfeaturemakesiteasytoscaleoutyourread-intensivedatabases.ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,

andAmazonAurora.YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.AmazonRDSusesnativereplicationtopropagatechangesmadetoasourceDBInstancetoanyassociatedreadreplicas.AmazonRDSalsosupportscross-regionreadreplicastoreplicatechangesasynchronouslytoanothergeographyorAWSRegion.

KnowwhataNoSQLdatabaseis.NoSQLdatabasesarenon-relationaldatabases,meaningthatyoudonothavetohaveanexistingtablecreatedinwhichtostoreyourdata.NoSQLdatabasescomeinthefollowingformats:

Documentdatabases

Graphstores

Key/valuestores

Wide-columnstores

RememberthatAmazonDynamoDBisAWSNoSQLservice.YoushouldrememberthatforNoSQLdatabases,AWSprovidesafullymanagedservicecalledAmazonDynamoDB.AmazonDynamoDBisanextremelyfastNoSQLdatabasewithpredictableperformanceandhighscalability.YoucanuseAmazonDynamoDBtocreateatablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofpartitionstohandletherequestcapacityspecifiedbythecustomerandtheamountofdatastored,whilemaintainingconsistentandfastperformance.

Knowwhatadatawarehouseis.Adatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositorywouldbeusedforqueryandanalysisusingOLAP.Anorganization’smanagementtypicallyusesadatawarehousetocompilereportsonspecificdata.Datawarehousesareusuallyqueriedwithhighlycomplexqueries.

RememberthatAmazonRedshiftisAWSdatawarehouseservice.YoushouldrememberthatAmazonRedshiftisAmazon’sdatawarehouseservice.AmazonRedshiftorganizesthedatabycolumninsteadofstoringdataasaseriesofrows.Becauseonlythecolumnsinvolvedinthequeriesareprocessedandcolumnardataisstoredsequentiallyonthestoragemedia,column-basedsystemsrequirefarfewerI/Os,whichgreatlyimprovesqueryperformance.Anotheradvantageofcolumnardatastorageistheincreasedcompression,whichcanfurtherreduceoverallI/O.

ExercisesInordertopasstheexam,youshouldpracticedeployingdatabasesandcreatingtablesusingAmazonRDS,AmazonDynamoDB,andAmazonRedshift.Remembertodeleteanyresourcesyouprovisiontominimizeanycharges.

EXERCISE7.1

CreateaMySQLAmazonRDSInstance1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRDSConsole.

2. LaunchanewAmazonRDSDBInstance,andselectMySQLCommunityEditioninstanceasthedatabaseengine.

3. ConfiguretheDBInstancetouseMulti-AZandGeneralPurpose(SSD)storage.

Warning:ThisisnoteligibleforAWSFreeTier;youwillincurasmallchargebyprovisioningthisinstance.

4. SettheDBInstanceidentifieranddatabasenametoMySQL123,andconfigurethemasterusernameandpassword.

5. Validatetheconfigurationsettings,andlaunchtheDBInstance.

6. ReturntothelistoftheAmazonRDSinstances.YouwillseethestatusofyourAmazonRDSdatabaseasCreating.Itmaytakeupto20minutestocreateyournewAmazonRDSinstance.

YouhaveprovisionedyourfirstAmazonRDSinstanceusingMulti-AZ.

EXERCISE7.2

SimulateaFailoverfromOneAZtoAnotherInthisexercise,youwilluseMulti-AZfailovertosimulateafailoverfromoneAvailabilityZonetoanother.

1. IntheAmazonRDSConsole,viewthelistofDBInstances.

2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.

3. Selecttheinstance,andissueaRebootcommandfromtheactionsmenu.

4. Confirmthereboot.

YouhavenowsimulatedafailoverfromoneAvailabilityZonetoanotherusingMulti-AZfailover.Thefailovershouldtakeapproximatelytwoorthreeminutes.

EXERCISE7.3

CreateaReadReplicaInthisexercise,youwillcreateareadreplicaofyourexistingMySQL123DBserver.

1. IntheAmazonRDSConsole,viewthelistofDBInstances.

2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.

3. Selecttheinstance,andissueaCreateReadReplicacommandfromthelistofactions.

4. Configurethenameofthereadreplicaandanyothersettings.Createthereplica.

5. Waitforthereplicatobecreated,whichcantypicallytakeseveralminutes.Whenitiscomplete,deleteboththeMySQL123andMySQLReadReplicadatabasesbyclickingthecheckboxesnexttothem,clickingtheInstanceActionsdrop-downbox,andthenclickingDelete.

Intheprecedingexercises,youcreatedanewAmazonRDSMySQLinstancewithMulti-AZenabled.YouthensimulatedafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstance.Afterthat,youscaledyourAmazonRDSinstanceoutbycreatingareadreplicaoftheprimarydatabase.DeletetheDBInstance.

EXERCISE7.4

ReadandWritefromaDynamoDBTableInthisexercise,youwillcreateanAmazonDynamoDBtableandthenreadandwritetoitusingtheAWSManagementConsole.

1. LogintotheAWSManagementConsole,andviewtheAmazonDynamoDBconsole.

2. CreateanewtablenamedUserProfilewithapartitionkeyofuserIDoftypeString.

3. Afterthetablehasbeencreated,viewthelistofitemsinthetable.

4. UsingtheAmazonDynamoDBconsole,createandsaveanewiteminthetable.SettheuserIDtoU01,andappendanotherStringattributecallednamewithavalueofJoe.

5. Performascanonthetabletoretrievethenewitem.

YouhavenowcreatedasimpleAmazonDynamoDBtable,putanewitem,andretrieveditusingScan.DeletetheDynamoDBtable.

EXERCISE7.5

LaunchaRedshiftClusterInthisexercise,youwillcreateadatawarehouseusingAmazonRedshiftandthenreadandwritetoitusingtheAWSManagementConsole.

1. LogintotheAWSManagementConsole,andviewtheAmazonRedshiftConsole.

2. Createanewcluster,configuringthedatabasename,username,andpassword.

3. ConfiguretheclustertobesinglenodeusingoneSSD-backedstoragenode.

4. LaunchtheclusterintoanAmazonVPCusingtheappropriatesecuritygroup.

5. InstallandconfigureSQLWorkbenchonyourlocalcomputer,andconnecttothenewcluster.

6. CreateanewtableandloaddatausingtheCOPYcommand.

YouhavenowcreatedanAmazonRedshiftclusterandconnectedtoitusingastandardSQLclient.Deletetheclusterwhenyouhavecompletedtheexercise.

ReviewQuestions1. WhichAWSdatabaseserviceisbestsuitedfortraditionalOnlineTransactionProcessing(OLTP)?

A. AmazonRedshift

B. AmazonRelationalDatabaseService(AmazonRDS)

C. AmazonGlacier

D. ElasticDatabase

2. WhichAWSdatabaseserviceisbestsuitedfornon-relationaldatabases?

A. AmazonRedshift


C. AmazonGlacier

D. AmazonDynamoDB

3. YouareasolutionsarchitectworkingforamediacompanythathostsitswebsiteonAWS.Currently,thereisasingleAmazonElasticComputeCloud(AmazonEC2)InstanceonAWSwithMySQLinstalledlocallytothatAmazonEC2Instance.Youhavebeenaskedtomakethecompany’sproductionenvironmentmoreresilientandtoincreaseperformance.YousuggestthatthecompanysplitouttheMySQLdatabaseontoanAmazonRDSInstancewithMulti-AZenabled.Thisaddressesthecompany’sincreasedresiliencyrequirements.Nowyouneedtosuggesthowyoucanincreaseperformance.Ninety-ninepercentofthecompany’sendusersaremagazinesubscriberswhowillbereadingadditionalarticlesonthewebsite,soonlyonepercentofenduserswillneedtowritedatatothesite.Whatshouldyousuggesttoincreaseperformance?

A. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentothesecondarycopyoftheMulti-AZdatabase.

B. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentotheprimarycopyoftheMulti-AZdatabase.

C. Recommendthatthecompanyusereadreplicas,anddistributethetrafficacrossmultiplereadreplicas.

D. MigratetheMySQLdatabasetoAmazonRedshifttotakeadvantageofcolumnarstorageandmaximizeperformance.

4. WhichAWSCloudserviceisbestsuitedforOnlineAnalyticsProcessing(OLAP)?

A. AmazonRedshift


C. AmazonGlacier

D. AmazonDynamoDB

5. YouhavebeenusingAmazonRelationalDatabaseService(AmazonRDS)forthelast

yeartorunanimportantapplicationwithautomatedbackupsenabled.Oneofyourteammembersisperformingroutinemaintenanceandaccidentallydropsanimportanttable,causinganoutage.Howcanyourecoverthemissingdatawhileminimizingthedurationoftheoutage?

A. Performanundooperationandrecoverthetable.

B. RestorethedatabasefromarecentautomatedDBsnapshot.

C. RestoreonlythedroppedtablefromtheDBsnapshot.

D. Thedatacannotberecovered.

6. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportMulti-AZ?

A. Allofthem

B. MicrosoftSQLServer,MySQL,andOracle

C. Oracle,AmazonAurora,andPostgreSQL

D. MySQL

7. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportreadreplicas?

A. MicrosoftSQLServerandOracle

B. MySQL,MariaDB,PostgreSQL,andAurora

C. Aurora,MicrosoftSQLServer,andOracle

D. MySQLandPostgreSQL

8. YourteamisbuildinganorderprocessingsystemthatwillspanmultipleAvailabilityZones.Duringtesting,theteamwantedtotesthowtheapplicationwillreacttoadatabasefailover.Howcanyouenablethistypeoftest?

A. ForceaMulti-AZfailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceusingtheAmazonRDSconsole.

B. TerminatetheDBinstance,andcreateanewone.Updatetheconnectionstring.

C. Createasupportcaseaskingforafailover.

D. Itisnotpossibletotestafailover.

9. YouareasystemadministratorwhosecompanyhasmoveditsproductiondatabasetoAWS.YourcompanymonitorsitsestateusingAmazonCloudWatch,whichsendsalarmsusingAmazonSimpleNotificationService(AmazonSNS)toyourmobilephone.Onenight,yougetanalertthatyourprimaryAmazonRelationalDatabaseService(AmazonRDS)Instancehasgonedown.YouhaveMulti-AZenabledonthisinstance.Whatshouldyoudotoensurethefailoverhappensquickly?

A. UpdateyourDomainNameSystem(DNS)topointtothesecondaryinstance’snewIPaddress,forcingyourapplicationtofailovertothesecondaryinstance.

B. ConnecttoyourserverusingSecureShell(SSH)andupdateyourconnectionstrings

sothatyourapplicationcancommunicatetothesecondaryinstanceinsteadofthefailedprimaryinstance.

C. Takeasnapshotofthesecondaryinstanceandcreateanewinstanceusingthissnapshot,thenupdateyourconnectionstringtopointtothenewinstance.

D. Noactionisnecessary.Yourconnectionstringpointstothedatabaseendpoint,andAWSautomaticallyupdatesthisendpointtopointtoyoursecondaryinstance.

10. Youareworkingforasmallorganizationwithoutadedicateddatabaseadministratoronstaff.YouneedtoinstallMicrosoftSQLServerEnterpriseeditionquicklytosupportanaccountingbackofficeapplicationonAmazonRelationalDatabaseService(AmazonRDS).Whatshouldyoudo?

A. LaunchanAmazonRDSDBInstance,andselectMicrosoftSQLServerEnterpriseEditionundertheBringYourOwnLicense(BYOL)model.

B. ProvisionSQLServerEnterpriseEditionusingtheLicenseIncludedoptionfromtheAmazonRDSConsole.

C. SQLServerEnterpriseeditionisonlyavailableviatheCommandLineInterface(CLI).Installthecommand-linetoolsonyourlaptop,andthenprovisionyournewAmazonRDSInstanceusingtheCLI.

D. YoucannotuseSQLServerEnterpriseeditiononAmazonRDS.YoushouldinstallthisontoadedicatedAmazonElasticComputeCloud(AmazonEC2)Instance.

11. Youarebuildingthedatabasetierforanenterpriseapplicationthatgetsoccasionalactivitythroughouttheday.Whichstoragetypeshouldyouselectasyourdefaultoption?

A. Magneticstorage

B. GeneralPurposeSolidStateDrive(SSD)

C. ProvisionedIOPS(SSD)

D. StorageAreaNetwork(SAN)-attached

12. Youaredesigningane-commercewebapplicationthatwillscaletopotentiallyhundredsofthousandsofconcurrentusers.Whichdatabasetechnologyisbestsuitedtoholdthesessionstateforlargenumbersofconcurrentusers?

A. RelationaldatabaseusingAmazonRelationalDatabaseService(AmazonRDS)

B. NoSQLdatabasetableusingAmazonDynamoDB

C. DatawarehouseusingAmazonRedshift

D. AmazonSimpleStorageService(AmazonS3)

13. WhichofthefollowingtechniquescanyouusetohelpyoumeetRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements?(Choose3answers)

A. DBsnapshots

B. DBoptiongroups

C. Readreplica

D. Multi-AZdeployment

14. WhenusingAmazonRelationalDatabaseService(AmazonRDS)Multi-AZ,howcanyouoffloadreadrequestsfromtheprimary?(Choose2answers)

A. Configuretheconnectionstringoftheclientstoconnecttothesecondarynodeandperformreadswhiletheprimaryisusedforwrites.

B. AmazonRDSautomaticallysendswritestotheprimaryandsendsreadstothesecondary.

C. AddareadreplicaDBinstance,andconfiguretheclient’sapplicationlogictousearead-replica.

D. CreateacachingenvironmentusingElastiCachetocachefrequentlyuseddata.Updatetheapplicationlogictoread/writefromthecache.

15. Youarebuildingalargeorderprocessingsystemandareresponsibleforsecuringthedatabase.Whichactionswillyoutaketoprotectthedata?(Choose3answers)

A. AdjustAWSIdentityandAccessManagement(IAM)permissionsforadministrators.

B. ConfiguresecuritygroupsandnetworkAccessControlLists(ACLs)tolimitnetworkaccess.

C. Configuredatabaseusers,andgrantpermissionstodatabaseobjects.

D. Installanti-virussoftwareontheAmazonRDSDBInstance.

16. YourteammanagesapopularwebsiterunningAmazonRelationalDatabaseService(AmazonRDS)MySQLbackend.TheMarketingdepartmenthasjustinformedyouaboutanupcomingtelevisioncommercialthatwilldrivethousandsofnewvisitorstothewebsite.Howcanyouprepareyourdatabasetohandletheload?(Choose3answers)

A. VerticallyscaletheDBInstancebyselectingamorepowerfulinstanceclass.

B. Createreadreplicastooffloadreadrequestsandupdateyourapplication.

C. UpgradethestoragefromMagneticvolumestoGeneralPurposeSolidStateDrive(SSD)volumes.

D. UpgradetoAmazonRedshiftforfastercolumnarstorage.

17. YouarebuildingaphotomanagementapplicationthatmaintainsmetadataonmillionsofimagesinanAmazonDynamoDBtable.Whenaphotoisretrieved,youwanttodisplaythemetadatanexttotheimage.WhichAmazonDynamoDBoperationwillyouusetoretrievethemetadataattributesfromthetable?

A. Scanoperation

B. Searchoperation

C. Queryoperation

D. Findoperation

18. YouarecreatinganAmazonDynamoDBtablethatwillcontainmessagesforasocialchatapplication.Thistablewillhavethefollowingattributes:Username(String),Timestamp(Number),Message(String).Whichattributeshouldyouuseasthepartitionkey?The

sortkey?

A. Username,Timestamp

B. Username,Message

C. Timestamp,Message

D. Message,Timestamp

19. WhichofthefollowingstatementsaboutAmazonDynamoDBtablesaretrue?(Choose2answers)

A. Globalsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.

B. Localsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.

C. Youcanonlyhaveoneglobalsecondaryindex.

D. Youcanonlyhaveonelocalsecondaryindex.

20. WhichofthefollowingworkloadsareagoodfitforrunningonAmazonRedshift?(Choose2answers)

A. Transactionaldatabasesupportingabusye-commerceorderprocessingwebsite

B. Reportingdatabasesupportingback-officeanalytics

C. Datawarehouseusedtoaggregatemultipledisparatedatasources

D. Managesessionstateanduserprofiledataforthousandsofconcurrentusers

Chapter8SQS,SWF,andSNSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems




Planninganddesign


Familiaritywith:


Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService[AmazonRDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud[AmazonEC2])



2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Domain4.0:Troubleshooting


Generaltroubleshootinginformationandquestions

ThereareanumberofservicesundertheApplicationandMobileServicessectionoftheAWSManagementConsole.Atthetimeofwritingthischapter,application

servicesincludeAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(AmazonSWF),AmazonAppStream,AmazonElasticTranscoder,AmazonSimpleEmailService(AmazonSES),AmazonCloudSearch,andAmazonAPIGateway.MobileservicesincludeAmazonCognito,AmazonSimpleNotificationService(AmazonSNS),AWSDeviceFarm,andAmazonMobileAnalytics.Thischapterfocusesonthecoreservicesyouarerequiredtobefamiliarwithtopasstheexam:AmazonSQS,AmazonSWF,andAmazonSNS.

AmazonSimpleQueueService(AmazonSQS)AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.YoucanuseAmazonSQStotransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobecontinuouslyavailable.

WithAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.UsingAmazonSQS,youcanstoreapplicationmessagesonreliableandscalableinfrastructure,enablingyoutomovedatabetweendistributedcomponentstoperformdifferenttasksasneeded.

AnAmazonSQSqueueisbasicallyabufferbetweentheapplicationcomponentsthatreceivedataandthosecomponentsthatprocessthedatainyoursystem.Ifyourprocessingserverscannotprocesstheworkfastenough(perhapsduetoaspikeintraffic),theworkisqueuedsothattheprocessingserverscangettoitwhentheyareready.Thismeansthatworkisnotlostduetoinsufficientresources.

AmazonSQSensuresdeliveryofeachmessageatleastonceandsupportsmultiplereadersandwritersinteractingwiththesamequeue.Asinglequeuecanbeusedsimultaneouslybymanydistributedapplicationcomponents,withnoneedforthosecomponentstocoordinatewithoneanothertosharethequeue.Althoughmostofthetimeeachmessagewillbedeliveredtoyourapplicationexactlyonce,youshoulddesignyoursystemtobeidempotent(thatis,itmustnotbeadverselyaffectedifitprocessesthesamemessagemorethanonce).

AmazonSQSisengineeredtobehighlyavailableandtodelivermessagesreliablyandefficiently;however,theservicedoesnotguaranteeFirstIn,FirstOut(FIFO)deliveryofmessages.Formanydistributedapplications,eachmessagecanstandonitsownand,ifallmessagesaredelivered,theorderisnotimportant.Ifyoursystemrequiresthatorderbepreserved,youcanplacesequencinginformationineachmessagesothatyoucanreorderthemessageswhentheyareretrievedfromthequeue.

MessageLifecycleThediagramandprocessshowninFigure8.1describesthelifecycleofanAmazonSQSmessage,calledMessageA,fromcreationtodeletion.Assumethataqueuealreadyexists.

FIGURE8.1Messagelifecycle

1. Component1sendsMessageAtoaqueue,andthemessageisredundantlydistributedacrosstheAmazonSQSservers.

2. WhenComponent2isreadytoprocessamessage,itretrievesmessagesfromthequeue,andMessageAisreturned.WhileMessageAisbeingprocessed,itremainsinthequeueandisnotreturnedtosubsequentlyreceiverequestsforthedurationofthevisibilitytimeout.

3. Component2deletesMessageAfromthequeuetopreventthemessagefrombeingreceivedandprocessedagainafterthevisibilitytimeoutexpires.

DelayQueuesandVisibilityTimeoutsDelayqueuesallowyoutopostponethedeliveryofnewmessagesinaqueueforaspecificnumberofseconds.Ifyoucreateadelayqueue,anymessagethatyousendtothatqueuewillbeinvisibletoconsumersforthedurationofthedelayperiod.Tocreateadelayqueue,useCreateQueueandsettheDelaySecondsattributetoanyvaluebetween0and900(15minutes).YoucanalsoturnanexistingqueueintoadelayqueuebyusingSetQueueAttributestosetthequeue’sDelaySecondsattribute.ThedefaultvalueforDelaySecondsis0.

Delayqueuesaresimilartovisibilitytimeoutsinthatbothfeaturesmakemessages

unavailabletoconsumersforaspecificperiodoftime.Thedifferenceisthatadelayqueuehidesamessagewhenitisfirstaddedtothequeue,whereasavisibilitytimeouthidesamessageonlyafterthatmessageisretrievedfromthequeue.Figure8.2illustratesthefunctioningofavisibilitytimeout.

FIGURE8.2Diagramofvisibilitytimeout

Whenamessageisinthequeuebutisneitherdelayednorinavisibilitytimeout,itisconsideredtobe“inflight.”Youcanhaveupto120,000messagesinflightatanygiventime.AmazonSQSsupportsupto12hours’maximumvisibilitytimeout.

SeparateThroughputfromLatency

LikemanyotherAWSCloudservices,AmazonSQSisaccessedthroughHTTPrequest-response,andatypicalAmazonSQSrequest-responsetakesabitlessthan20msfromAmazonElasticComputeCloud(AmazonEC2).Thismeansthatfromasinglethread,youcan,onaverage,issue50+ApplicationProgrammingInterface(API)requestspersecond(abitfewerforbatchAPIrequests,butthosedomorework).Thethroughputscaleshorizontally,sothemorethreadsandhostsyouadd,thehigherthethroughput.Usingthisscalingmodel,someAWScustomershavequeuesthatprocessthousandsofmessageseverysecond.

QueueOperations,UniqueIDs,andMetadataThedefinedoperationsforAmazonSQSqueuesareCreateQueue,ListQueues,DeleteQueue,SendMessage,SendMessageBatch,ReceiveMessage,DeleteMessage,DeleteMessageBatch,PurgeQueue,ChangeMessageVisibility,ChangeMessageVisibilityBatch,SetQueueAttributes,GetQueueAttributes,GetQueueUrl,ListDeadLetterSourceQueues,AddPermission,andRemovePermission.OnlytheAWSaccountowneroranAWSidentitythathasbeengrantedtheproperpermissionscanperformoperations.

YourmessagesareidentifiedviaagloballyuniqueIDthatAmazonSQSreturnswhenthemessageisdeliveredtothequeue.TheIDisn’trequiredinordertoperformanyfurtheractionsonthemessage,butit’susefulfortrackingwhetheraparticularmessageinthequeuehasbeenreceived.Whenyoureceiveamessagefromthequeue,theresponseincludesa

receipthandle,whichyoumustprovidewhendeletingthemessage.

QueueandMessageIdentifiersAmazonSQSusesthreeidentifiersthatyouneedtobefamiliarwith:queueURLs,messageIDs,andreceipthandles.

Whencreatinganewqueue,youmustprovideaqueuenamethatisuniquewithinthescopeofallofyourqueues.AmazonSQSassignseachqueueanidentifiercalledaqueueURL,whichincludesthequeuenameandothercomponentsthatAmazonSQSdetermines.Wheneveryouwanttoperformanactiononaqueue,youmustprovideitsqueueURL.

AmazonSQSassignseachmessageauniqueIDthatitreturnstoyouintheSendMessageresponse.Thisidentifierisusefulforidentifyingmessages,butnotethattodeleteamessage,youneedthemessage’sreceipthandleinsteadofthemessageID.ThemaximumlengthofamessageIDis100characters.

Eachtimeyoureceiveamessagefromaqueue,youreceiveareceipthandleforthatmessage.Thehandleisassociatedwiththeactofreceivingthemessage,notwiththemessageitself.Asstatedpreviously,todeletethemessageortochangethemessagevisibility,youmustprovidethereceipthandleandnotthemessageID.Thismeansyoumustalwaysreceiveamessagebeforeyoucandeleteit(thatis,youcan’tputamessageintothequeueandthenrecallit).Themaximumlengthofareceipthandleis1,024characters.

MessageAttributesAmazonSQSprovidessupportformessageattributes.Messageattributesallowyoutoprovidestructuredmetadataitems(suchastimestamps,geospatialdata,signatures,andidentifiers)aboutthemessage.Messageattributesareoptionalandseparatefrom,butsentalongwith,themessagebody.Thereceiverofthemessagecanusethisinformationtohelpdecidehowtohandlethemessagewithouthavingtoprocessthemessagebodyfirst.Eachmessagecanhaveupto10attributes.Tospecifymessageattributes,youcanusetheAWSManagementConsole,AWSSoftwareDevelopmentKits(SDKs),oraqueryAPI.

LongPollingWhenyourapplicationqueriestheAmazonSQSqueueformessages,itcallsthefunctionReceiveMessage.ReceiveMessagewillcheckfortheexistenceofamessageinthequeueandreturnimmediately,eitherwithorwithoutamessage.Ifyourcodemakesperiodiccallstothequeue,thispatternissufficient.IfyourSQSclientisjustaloopthatrepeatedlychecksfornewmessages,however,thenthispatternbecomesproblematic,astheconstantcallstoReceiveMessageburnCPUcyclesandtieupathread.

Inthissituation,youwillwanttouselongpolling.Withlongpolling,yousendaWaitTimeSecondsargumenttoReceiveMessageofupto20seconds.Ifthereisnomessageinthequeue,thenthecallwillwaituptoWaitTimeSecondsforamessagetoappearbeforereturning.Ifamessageappearsbeforethetimeexpires,thecallwillreturnthemessagerightaway.Longpollingdrasticallyreducestheamountofloadonyourclient.

DeadLetterQueues

AmazonSQSprovidessupportfordeadletterqueues.Adeadletterqueueisaqueuethatother(source)queuescantargettosendmessagesthatforsomereasoncouldnotbesuccessfullyprocessed.Aprimarybenefitofusingadeadletterqueueistheabilitytosidelineandisolatetheunsuccessfullyprocessedmessages.Youcanthenanalyzeanymessagessenttothedeadletterqueuetotrytodeterminethecauseoffailure.

Messagescanbesenttoandreceivedfromadeadletterqueue,justlikeanyotherAmazonSQSqueue.YoucancreateadeadletterqueuefromtheAmazonSQSAPIandtheAmazonSQSconsole.

AccessControlWhileIAMcanbeusedtocontroltheinteractionsofdifferentAWSidentitieswithqueues,thereareoftentimeswhenyouwillwanttoexposequeuestootheraccounts.Thesesituationsmayinclude:

YouwanttograntanotherAWSaccountaparticulartypeofaccesstoyourqueue(forexample,SendMessage).

YouwanttograntanotherAWSaccountaccesstoyourqueueforaspecificperiodoftime.

YouwanttograntanotherAWSaccountaccesstoyourqueueonlyiftherequestscomefromyourAmazonEC2instances.

YouwanttodenyanotherAWSaccountaccesstoyourqueue.

WhileclosecoordinationbetweenaccountsmayallowthesetypesofactionsthroughtheuseofIAMroles,thatlevelofcoordinationisfrequentlyunfeasible.

AmazonSQSAccessControlallowsyoutoassignpoliciestoqueuesthatgrantspecificinteractionstootheraccountswithoutthataccounthavingtoassumeIAMrolesfromyouraccount.ThesepoliciesarewritteninthesameJSONlanguageasIAM.Forexample,thefollowingsamplepolicygivesthedeveloperwithAWSaccountnumber111122223333theSendMessagepermissionforthequeuenamed444455556666/queue1intheUSEast(N.Virginia)region.

{

"Version":"2012–10–17",

"Id":"Queue1_Policy_UUID",

"Statement":[

{

"Sid":"Queue1_SendMessage",

"Effect":"Allow",

"Principal":{

"AWS":"111122223333"

},

"Action":"sqs:SendMessage",

"Resource":"arn:aws:sqs:us-east-1:444455556666:queue1"

}

]

}

TradeoffMessageDurabilityandLatency

AmazonSQSdoesnotreturnsuccesstoaSendMessageAPIcalluntilthemessageisdurablystoredinAmazonSQS.Thismakestheprogrammingmodelverysimplewithnodoubtaboutthesafetyofmessages,unlikethesituationwithanasynchronousmessagingmodel.Ifyoudon’tneedadurablemessagingsystem,however,youcanbuildanasynchronous,client-sidebatchingontopofAmazonSQSlibrariesthatdelaysenqueueofmessagestoAmazonSQSandtransmitsasetofmessagesinabatch.Pleasebeawarethatwithaclient-sidebatchingapproach,youcouldpotentiallylosemessageswhenyourclientprocessorclienthostdiesforanyreason.

AmazonSimpleWorkflowService(AmazonSWF)AmazonSWFmakesiteasytobuildapplicationsthatcoordinateworkacrossdistributedcomponents.InAmazonSWF,ataskrepresentsalogicalunitofworkthatisperformedbyacomponentofyourapplication.Coordinatingtasksacrosstheapplicationinvolvesmanaginginter-taskdependencies,scheduling,andconcurrencyinaccordancewiththelogicalflowoftheapplication.AmazonSWFgivesyoufullcontroloverimplementingandcoordinatingtaskswithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.

WhenusingAmazonSWF,youimplementworkerstoperformtasks.Theseworkerscanruneitheroncloudinfrastructure,suchasAmazonEC2,oronyourownpremises.Youcancreatelong-runningtasksthatmightfail,timeout,orrequirerestarts,ortasksthatcancompletewithvaryingthroughputandlatency.AmazonSWFstorestasks,assignsthemtoworkerswhentheyareready,monitorstheirprogress,andmaintainstheirstate,includingdetailsontheircompletion.Tocoordinatetasks,youwriteaprogramthatgetsthelateststateofeachtaskfromAmazonSWFandusesittoinitiatesubsequenttasks.AmazonSWFmaintainsanapplication’sexecutionstatedurablysothattheapplicationisresilienttofailuresinindividualcomponents.WithAmazonSWF,youcanimplement,deploy,scale,andmodifytheseapplicationcomponentsindependently.

WorkflowsUsingAmazonSWF,youcanimplementdistributed,asynchronousapplicationsasworkflows.Workflowscoordinateandmanagetheexecutionofactivitiesthatcanberunasynchronouslyacrossmultiplecomputingdevicesandthatcanfeaturebothsequentialandparallelprocessing.

Whendesigningaworkflow,analyzeyourapplicationtoidentifyitscomponenttasks,whicharerepresentedinAmazonSWFasactivities.Theworkflow’scoordinationlogicdeterminestheorderinwhichactivitiesareexecuted.

WorkflowDomainsDomainsprovideawayofscopingAmazonSWFresourceswithinyourAWSaccount.Youmustspecifyadomainforallthecomponentsofaworkflow,suchastheworkflowtypeandactivitytypes.Itispossibletohavemorethanoneworkflowinadomain;however,workflowsindifferentdomainscannotinteractwithoneanother.

WorkflowHistoryTheworkflowhistoryisadetailed,complete,andconsistentrecordofeveryeventthatoccurredsincetheworkflowexecutionstarted.Aneventrepresentsadiscretechangeinyourworkflowexecution’sstate,suchasscheduledandcompletedactivities,tasktimeouts,andsignals.

ActorsAmazonSWFconsistsofanumberofdifferenttypesofprogrammaticfeaturesknownas

actors.Actorscanbeworkflowstarters,deciders,oractivityworkers.TheseactorscommunicatewithAmazonSWFthroughitsAPI.Youcandevelopactorsinanyprogramminglanguage.

Aworkflowstarterisanyapplicationthatcaninitiateworkflowexecutions.Forexample,oneworkflowstartercouldbeane-commercewebsitewhereacustomerplacesanorder.Anotherworkflowstartercouldbeamobileapplicationwhereacustomerorderstakeoutfoodorrequestsataxi.

Activitieswithinaworkflowcanrunsequentially,inparallel,synchronously,orasynchronously.Thelogicthatcoordinatesthetasksinaworkflowiscalledthedecider.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.

Anactivityworkerisasinglecomputerprocess(orthread)thatperformstheactivitytasksinyourworkflow.Differenttypesofactivityworkersprocesstasksofdifferentactivitytypes,andmultipleactivityworkerscanprocessthesametypeoftask.Whenanactivityworkerisreadytoprocessanewactivitytask,itpollsAmazonSWFfortasksthatareappropriateforthatactivityworker.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreturnsthestatusandresulttoAmazonSWF.Theactivityworkerthenpollsforanewtask.

TasksAmazonSWFprovidesactivityworkersanddeciderswithworkassignments,givenasoneofthreetypesoftasks:activitytasks,AWSLambdatasks,anddecisiontasks.

Anactivitytasktellsanactivityworkertoperformitsfunction,suchastocheckinventoryorchargeacreditcard.Theactivitytaskcontainsalltheinformationthattheactivityworkerneedstoperformitsfunction.

AnAWSLambdataskissimilartoanactivitytask,butexecutesanAWSLambdafunctioninsteadofatraditionalAmazonSWFactivity.FormoreinformationabouthowtodefineanAWSLambdatask,seetheAWSdocumentationonAWSLambdatasks.

Adecisiontasktellsadeciderthatthestateoftheworkflowexecutionhaschangedsothatthedecidercandeterminethenextactivitythatneedstobeperformed.Thedecisiontaskcontainsthecurrentworkflowhistory.

AmazonSWFschedulesadecisiontaskwhentheworkflowstartsandwheneverthestateoftheworkflowchanges,suchaswhenanactivitytaskcompletes.Eachdecisiontaskcontainsapaginatedviewoftheentireworkflowexecutionhistory.ThedecideranalyzestheworkflowexecutionhistoryandrespondsbacktoAmazonSWFwithasetofdecisionsthatspecifywhatshouldoccurnextintheworkflowexecution.Essentially,everydecisiontaskgivesthedecideranopportunitytoassesstheworkflowandprovidedirectionbacktoAmazonSWF.

TaskListsTasklistsprovideawayoforganizingthevarioustasksassociatedwithaworkflow.Youcouldthinkoftasklistsassimilartodynamicqueues.WhenataskisscheduledinAmazonSWF,youcanspecifyaqueue(tasklist)toputitin.Similarly,whenyoupollAmazonSWFfora

task,youdeterminewhichqueue(tasklist)togetthetaskfrom.

Tasklistsprovideaflexiblemechanismtoroutetaskstoworkersasyourusecasenecessitates.Tasklistsaredynamicinthatyoudon’tneedtoregisteratasklistorexplicitlycreateitthroughanaction—simplyschedulingataskcreatesthetasklistifitdoesn’talreadyexist.

LongPollingDecidersandactivityworkerscommunicatewithAmazonSWFusinglongpolling.ThedecideroractivityworkerperiodicallyinitiatescommunicationwithAmazonSWF,notifyingAmazonSWFofitsavailabilitytoacceptatask,andthenspecifiesatasklisttogettasksfrom.Longpollingworkswellforhigh-volumetaskprocessing.Decidersandactivityworkerscanmanagetheirowncapacity.

ObjectIdentifiersAmazonSWFobjectsareuniquelyidentifiedbyworkflowtype,activitytype,decisionandactivitytasks,andworkflowexecution:

Aregisteredworkflowtypeisidentifiedbyitsdomain,name,andversion.WorkflowtypesarespecifiedinthecalltoRegisterWorkflowType.

Aregisteredactivitytypeisidentifiedbyitsdomain,name,andversion.ActivitytypesarespecifiedinthecalltoRegisterActivityType.

Eachdecisiontaskandactivitytaskisidentifiedbyauniquetasktoken.ThetasktokenisgeneratedbyAmazonSWFandisreturnedwithotherinformationaboutthetaskintheresponsefromPollForDecisionTaskorPollForActivityTask.Althoughthetokenismostcommonlyusedbytheprocessthatreceivedthetask,thatprocesscouldpassthetokentoanotherprocess,whichcouldthenreportthecompletionorfailureofthetask.

Asingleexecutionofaworkflowisidentifiedbythedomain,workflowID,andrunID.ThefirsttwoareparametersthatarepassedtoStartWorkflowExecution.TherunIDisreturnedbyStartWorkflowExecution.

WorkflowExecutionClosureAfteryoustartaworkflowexecution,itisopen.Anopenworkflowexecutioncanbeclosedascompleted,canceled,failed,ortimedout.Itcanalsobecontinuedasanewexecution,oritcanbeterminated.Thedecider,thepersonadministeringtheworkflow,orAmazonSWFcancloseaworkflowexecution.

LifecycleofaWorkflowExecutionFromthestartofaworkflowexecutiontoitscompletion,AmazonSWFinteractswithactorsbyassigningthemappropriatetasks:eitheractivitytasksordecisiontasks.

Figure8.3showsthelifecycleofanorder-processingworkflowexecutionfromtheperspectiveofcomponentsthatactonit.

FIGURE8.3AmazonSWFworkflowillustration

Thefollowing20stepsdescribetheworkflowdetailedinFigure8.3:

1. AworkflowstartercallsanAmazonSWFactiontostarttheworkflowexecutionforanorder,providingorderinformation.

2. AmazonSWFreceivesthestartworkflowexecutionrequestandthenschedulesthefirstdecisiontask.

3. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,andappliesthecoordinationlogictodeterminethatnopreviousactivitiesoccurred.ItthenmakesadecisiontoscheduletheVerifyOrderactivitywiththeinformationtheactivityworkerneedstoprocessthetaskandreturnsthedecisiontoAmazonSWF.

4. AmazonSWFreceivesthedecision,schedulestheVerifyOrderactivitytask,andwaitsfortheactivitytasktocompleteortimeout.

5. AnactivityworkerthatcanperformtheVerifyOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.

6. AmazonSWFreceivestheresultsoftheVerifyOrderactivity,addsthemtotheworkflowhistory,andschedulesadecisiontask.

7. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaChargeCreditCardactivitytaskwithinformationtheactivityworkerneedstoprocessthetask,andreturnsthedecisiontoAmazonSWF.

8. AmazonSWFreceivesthedecision,schedulestheChargeCreditCardactivitytask,andwaitsforittocompleteortimeout.

9. AnactivityworkeractivityreceivestheChargeCreditCardtask,performsit,andreturnstheresultstoAmazonSWF.

10. AmazonSWFreceivestheresultsoftheChargeCreditCardactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.

11. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaShipOrderactivitytaskwiththeinformationtheactivityworkerneedstoperformthetask,andreturnsthedecisiontoAmazonSWF.

12. AmazonSWFreceivesthedecision,schedulesaShipOrderactivitytask,andwaitsforit

tocompleteortimeout.

13. AnactivityworkerthatcanperformtheShipOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.

14. AmazonSWFreceivestheresultsoftheShipOrderactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.

15. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaRecordCompletionactivitytaskwiththeinformationtheactivityworkerneeds,performsthetask,andreturnsthedecisiontoAmazonSWF.

16. AmazonSWFreceivesthedecision,schedulesaRecordCompletionactivitytask,andwaitsforittocompleteortimeout.

17. AnactivityworkerRecordCompletionreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.

18. AmazonSWFreceivestheresultsoftheRecordCompletionactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.

19. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoclosetheworkflowexecution,andreturnsthedecisionalongwithanyresultstoAmazonSWF.

20. AmazonSWFclosestheworkflowexecutionandarchivesthehistoryforfuturereference.

AmazonSimpleNotificationService(AmazonSNS)AmazonSNSisawebserviceformobileandenterprisemessagingthatenablesyoutosetup,operate,andsendnotifications.Itisdesignedtomakeweb-scalecomputingeasierfordevelopers.AmazonSNSfollowsthepublish-subscribe(pub-sub)messagingparadigm,withnotificationsbeingdeliveredtoclientsusingapushmechanismthateliminatestheneedtocheckperiodically(orpoll)fornewinformationandupdates.Forexample,youcansendnotificationstoApple,Android,FireOS,andWindowsdevices.InChina,youcansendmessagestoAndroiddeviceswithBaiduCloudPush.YoucanuseAmazonSNStosendShortMessageService(SMS)messagestomobiledeviceusersintheUnitedStatesortoemailrecipientsworldwide.

AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.

Figure8.4showsthisprocessatahighlevel.Apublisherissuesamessageonatopic.Themessageisthendeliveredtothesubscribersofthattopicusingdifferentmethods,suchasAmazonSQS,HTTP,HTTPS,email,SMS,andAWSLambda.

FIGURE8.4Diagramoftopicdelivery

WhenusingAmazonSNS,you(astheowner)createatopicandcontrolaccesstoitbydefiningpoliciesthatdeterminewhichpublishersandsubscriberscancommunicatewiththetopicandviawhichtechnologies.Publisherssendmessagestotopicsthattheycreatedorthat

theyhavepermissiontopublishto.Insteadofincludingaspecificdestinationaddressineachmessage,apublishersendsamessagetothetopic,andAmazonSNSdeliversthemessagetoeachsubscriberforthattopic.EachtopichasauniquenamethatidentifiestheAmazonSNSendpointwherepublisherspostmessagesandsubscribersregisterfornotifications.Subscribersreceiveallmessagespublishedtothetopicstowhichtheysubscribe,andallsubscriberstoatopicreceivethesamemessages.

CommonAmazonSNSScenariosAmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.Forexample,youcanuseAmazonSNStorelayeventsinworkflowsystemsamongdistributedcomputerapplications,movedatabetweendatastores,orupdaterecordsinbusinesssystems.Eventupdatesandnotificationsconcerningvalidation,approval,inventorychanges,andshipmentstatusareimmediatelydeliveredtorelevantsystemcomponentsandendusers.AnotherexampleuseforAmazonSNSistorelaytime-criticaleventstomobileapplicationsanddevices.BecauseAmazonSNSisbothhighlyreliableandscalable,itprovidessignificantadvantagestodeveloperswhobuildapplicationsthatrelyonreal-timeevents.

Tohelpillustrate,thefollowingsectionsdescribesomecommonAmazonSNSscenarios,includingfanoutscenarios,applicationandsystemalerts,pushemailandtextmessaging,andmobilepushnotifications.

FanoutAfanoutscenarioiswhenanAmazonSNSmessageissenttoatopicandthenreplicatedandpushedtomultipleAmazonSQSqueues,HTTPendpoints,oremailaddresses(seeFigure8.5).Thisallowsforparallelasynchronousprocessing.Forexample,youcandevelopanapplicationthatsendsanAmazonSNSmessagetoatopicwheneveranorderisplacedforaproduct.ThentheAmazonSQSqueuesthataresubscribedtothattopicwillreceiveidenticalnotificationsfortheneworder.AnAmazonEC2instanceattachedtooneofthequeueshandlestheprocessingorfulfillmentoftheorder,whileanAmazonEC2instanceattachedtoaparallelqueuesendsorderdatatoadatawarehouseapplication/serviceforanalysis.

FIGURE8.5Diagramoffanoutscenario

Anotherwaytousefanoutistoreplicatedatasenttoyourproductionenvironmentandintegrateitwithyourdevelopmentenvironment.Expandinguponthepreviousexample,youcansubscribeyetanotherqueuetothesametopicfornewincomingorders.Then,byattachingthisnewqueuetoyourdevelopmentenvironment,youcancontinuetoimproveandtestyourapplicationusingdatareceivedfromyourproductionenvironment.

ApplicationandSystemAlertsApplicationandsystemalertsareSMSand/oremailnotificationsthataretriggeredbypredefinedthresholds.Forexample,becausemanyAWSCloudservicesuseAmazonSNS,youcanreceiveimmediatenotificationwhenaneventoccurs,suchasaspecificchangetoyourAutoScalinggroupinAWS.

PushEmailandTextMessagingPushemailandtextmessagingaretwowaystotransmitmessagestoindividualsorgroupsviaemailand/orSMS.Forexample,youcanuseAmazonSNStopushtargetednewsheadlinestosubscribersbyemailorSMS.UponreceivingtheemailorSMStext,interestedreaderscanthenchoosetolearnmorebyvisitingawebsiteorlaunchinganapplication.

MobilePushNotificationsMobilepushnotificationsenableyoutosendmessagesdirectlytomobileapplications.Forexample,youcanuseAmazonSNSforsendingnotificationstoanapplication,indicatingthatanupdateisavailable.Thenotificationmessagecanincludealinktodownloadandinstalltheupdate.

SummaryInthischapter,youlearnedaboutthecoreapplicationandmobileservicesthatyouwillbetestedoninyourAWSCertifiedSolutionsArchitect–Associateexam.

AmazonSQSisauniqueservicedesignedbyAmazontohelpyoudecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweendistributedcomponentsofyourapplicationsthatperformdifferenttasks,withoutlosingmessagesorrequiringeachcomponenttobecontinuouslyavailable.

UnderstandAmazonSQSqueueoperations,uniqueIDs,andmetadata.BefamiliarwithqueueandmessageidentifierssuchasqueueURLs,messageIDs,andreceipthandles.Understandrelatedconceptssuchasdelayqueues,messageattributes,longpolling,messagetimers,deadletterqueues,accesscontrol,andtheoverallmessagelifecycle.

AmazonSWFallowsyoutocreateapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatdifferentcomponentsofyourapplicationperform.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.AmazonSWFsimplifiesthecoordinationofworkflowtasks,givingyoufullcontrolovertheirimplementationwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.

YoumustbefamiliarwiththefollowingAmazonSWFcomponentsandthelifecycleofaworkflowexecution:

Workers,starters,anddeciders

Workflows

Workflowhistory

Actors

Tasks

Domains

Objectidentifiers

Tasklists

Workflowexecutionclosure

Longpolling

AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.

AmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.UnderstandsomecommonAmazonSNSscenarios,including:

Fanout

Applicationandsystemalerts

Pushemailandtextmessaging

Mobilepushnotifications

ExamEssentialsKnowhowtouseAmazonSQS.AmazonSQSisauniqueservicedesignedbyAmazontohelpyoutodecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweenyourservers.Thisallowsyoutomovedatabetweendistributedcomponentsofyourapplicationsthatperformdifferenttaskswithoutlosingmessagesorrequiringeachcomponentalwaystobeavailable.

UnderstandAmazonSQSvisibilitytimeouts.VisibilitytimeoutisaperiodoftimeduringwhichAmazonSQSpreventsothercomponentsfromreceivingandprocessingamessagebecauseanothercomponentisalreadyprocessingit.Bydefault,themessagevisibilitytimeoutissetto30seconds,andthemaximumthatitcanbeis12hours.

KnowhowtouseAmazonSQSlongpolling.LongpollingallowsyourAmazonSQSclienttopollanAmazonSQSqueue.Ifnothingisthere,ReceiveMessagewaitsbetween1and20seconds.Ifamessagearrivesinthattime,itisreturnedtothecallerassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.ThishelpsyouavoidpollingintightloopsandpreventsyoufromburningthroughCPUcycles,keepingcostslow.

KnowhowtouseAmazonSWF.AmazonSWFallowsyoutomakeapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatpartofyourapplicationperforms.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.ThisiswhereAmazonSWFcanhelpyou.Itgivesyoufullcontroloverimplementingtasksandcoordinatingthemwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.

KnowthebasicsofanAmazonSWFworkflow.Aworkflowisacollectionofactivities(coordinatedbylogic)thatcarryoutaspecificgoal.Forexample,aworkflowreceivesacustomerorderandtakeswhateveractionsarenecessarytofulfillit.EachworkflowrunsinanAWSresourcecalledadomain,whichcontrolsthescopeoftheworkflow.AnAWSaccountcanhavemultipledomains,eachofwhichcancontainmultipleworkflows,butworkflowsindifferentdomainscannotinteract.

UnderstandthedifferentAmazonSWFactors.AmazonSWFinteractswithanumberofdifferenttypesofprogrammaticactors.Actorscanbeactivityworkers,workflowstarters,ordeciders.

UnderstandAmazonSNSbasics.AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.

KnowthedifferentprotocolsusedwithAmazonSNS.YoucanusethefollowingprotocolswithAmazonSNS:HTTP,HTTPS,SMS,email,email-JSON,AmazonSQS,andAWSLambda.

ExercisesInthissection,youcreateatopicandsubscriptioninAmazonSNSandthenpublishamessagetoyourtopic.

EXERCISE8.1

CreateanAmazonSNSTopicInthisexercise,youwillcreateanAmazonSNSmessage.

1. Openabrowser,andnavigatetotheAWSManagementConsole.SignintoyourAWSaccount.

2. NavigatetoMobileServicesandthenAmazonSNStoloadtheAmazonSNSdashboard.

3. Createanewtopic,anduseMyTopicforboththetopicnameandthedisplayname.

4. NotethatanAmazonResourceName(ARN)isspecifiedimmediately.

Congratulations!Youhavecreatedyourfirsttopic.

EXERCISE8.2

CreateaSubscriptiontoYourTopicInthisexercise,youwillcreateasubscriptiontothenewlycreatedtopicusingyouremailaddress.Thenyouconfirmyouremailaddress.

1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.

2. SelecttheARNthatyoujustcreated.CreateaSubscriptionwiththeprotocolofEmail,andenteryouremailaddress.

3. CreatetheSubscription.

4. Theservicesendsaconfirmationemailtoyouremailaddress.Beforethissubscriptioncangolive,youneedtoclickonthelinkintheemailthatAWSsentyoutoconfirmyouremailaddress.Checkyouremail,andconfirmyouraddress.

Congratulations!Youhavenowconfirmedyouremailaddressandcreatedasubscriptiontoatopic.

EXERCISE8.3

PublishtoaTopicInthisexercise,youwillpublishamessagetoyournewlycreatedtopic.

1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.

2. NavigatetotheARNlinkforyournewlycreatedtopic.

3. UpdatethesubjectwithMyTestMessage,leavethemessageformattosettoRaw,anduseaTimetoLive(TTL)fieldto300.

4. Publishthemessage.

5. Youshouldreceiveanemailfromyourtopicnamewiththesubjectthatyouspecified.Ifyoudonotreceivethisemail,checkyourjunkfolder.

Congratulations!Inthisexercise,youcreatedanewtopic,addedanewsubscription,andthenpublishedamessagetoyournewtopic.Notethedifferentformatsinwhichyoucanpublishmessages,includingHTTPandAWSLambda.Deleteyournewlycreatedtopicandsubscriptionsafteryouarefinished.

EXERCISE8.4

CreateQueue1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.

2. Createanewqueuewithinputasthequeuename,60secondsforthedefaultvisibility,and5minutesforthemessageretentionperiod.Leavetheremainingdefaultvaluesforthisexercise.

3. Createthequeue.

Congratulations!Inthisexercise,youcreatedanewqueue.Youwillpublishtothisqueueinthefollowingexercise.

EXERCISE8.5

SubscribeQueuetoSNSTopic1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.

2. SubscribeyourqueuetoyourAmazonSNStopic.

3. NowreturntotheAmazonSNSdashboard(intheAWSManagementConsoleunderMobileServices).

4. Publishtoyournewtopic,andusethedefaults.

5. ReturntotheAmazonSQSdashboard(intheAWSManagementConsoleunderApplicationServices).

6. Youwillnoticethereis“1MessageAvailable”intheinputqueue.Checktheinputboxtotheleftoftheinputqueuename.

7. Startpollingformessages.YoushouldseetheAmazonSNSmessageinyourqueue.

8. ClicktheMoreDetailslinktoseethedetailsofthemessage.

9. Reviewyourmessage,andclickClose.

10. Deleteyourmessage.

Congratulations!Inthisexercise,yousubscribedyourinputqueuetoanAmazonSNStopicandviewedyourmessageinyourAmazonSQSqueueinadditiontoreceivingthemessageinsubscribedemail.

ReviewQuestions1. WhichofthefollowingisnotasupportedAmazonSimpleNotificationService(AmazonSNS)protocol?

A. HTTPS

B. AWSLambda

C. Email-JSON

D. AmazonDynamoDB

2. WhenyoucreateanewAmazonSimpleNotificationService(AmazonSNS)topic,whichofthefollowingiscreatedautomatically?

A. AnAmazonResourceName(ARN)

B. Asubscriber

C. AnAmazonSimpleQueueService(AmazonSQS)queuetodeliveryourAmazonSNStopic

D. Amessage

3. WhichofthefollowingarefeaturesofAmazonSimpleNotificationService(AmazonSNS)?(Choose3answers)

A. Publishers

B. Readers

C. Subscribers

D. Topic

4. WhatisthedefaulttimeforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?

A. 30seconds

B. 60seconds

C. 1hour

D. 12hours

5. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?

A. 30seconds

B. 60seconds

C. 1hour

D. 12hours

6. WhichofthefollowingoptionsarevalidpropertiesofanAmazonSimpleQueueService

(AmazonSQS)message?(Choose2answers)

A. Destination

B. MessageID

C. Type

D. Body

7. YouareasolutionsarchitectwhoisworkingforamobileapplicationcompanythatwantstouseAmazonSimpleWorkflowService(AmazonSWF)fortheirnewtakeoutorderingapplication.Theywillhavemultipleworkflowsthatwillneedtointeract.WhatshouldyouadvisethemtodoinstructuringthedesignoftheirAmazonSWFenvironment?

A. Usemultipledomains,eachcontainingasingleworkflow,anddesigntheworkflowstointeractacrossthedifferentdomains.

B. Useasingledomaincontainingmultipleworkflows.Inthismanner,theworkflowswillbeabletointeract.

C. Useasingledomainwithasingleworkflowandcollapseallactivitiestowithinthissingleworkflow.

D. Workflowscannotinteractwitheachother;theywouldbebetteroffusingAmazonSimpleQueueService(AmazonSQS)andAmazonSimpleNotificationService(AmazonSNS)fortheirapplication.

8. InAmazonSimpleWorkflowService(AmazonSWF),whichofthefollowingareactors?(Choose3answers)

A. Activityworkers

B. Workflowstarters

C. Deciders

D. Activitytasks

9. Youaredesigninganewapplication,andyouneedtoensurethatthecomponentsofyourapplicationarenottightlycoupled.YouaretryingtodecidebetweenthedifferentAWSCloudservicestousetoachievethisgoal.Yourrequirementsarethatmessagesbetweenyourapplicationcomponentsmaynotbedeliveredmorethanonce,tasksmustbecompletedineitherasynchronousorasynchronousfashion,andtheremustbesomeformofapplicationlogicthatdecideswhatdowhentaskshavebeencompleted.Whatapplicationserviceshouldyouuse?


B. AmazonSimpleWorkflowService(AmazonSWF)

C. AmazonSimpleStorageService(AmazonS3)

D. AmazonSimpleEmailService(AmazonSES)

10. HowdoesAmazonSimpleQueueService(AmazonSQS)delivermessages?

A. LastIn,FirstOut(LIFO)

B. FirstIn,FirstOut(FIFO)

C. Sequentially

D. AmazonSQSdoesn’tguaranteedeliveryofyourmessagesinanyparticularorder.

11. Ofthefollowingoptions,whatisanefficientwaytofanoutasingleAmazonSimpleNotificationService(AmazonSNS)messagetomultipleAmazonSimpleQueueService(AmazonSQS)queues?

A. CreateanAmazonSNStopicusingAmazonSNS.ThencreateandsubscribemultipleAmazonSQSqueuessenttotheAmazonSNStopic.

B. CreateoneAmazonSQSqueuethatsubscribestomultipleAmazonSNStopics.

C. AmazonSNSallowsexactlyonesubscribertoeachtopic,sofanoutisnotpossible.

D. CreateanAmazonSNStopicusingAmazonSNS.Createanapplicationthatsubscribestothattopicandduplicatesthemessage.SendcopiestomultipleAmazonSQSqueues.

12. YourapplicationpollsanAmazonSimpleQueueService(AmazonSQS)queuefrequentlyandreturnsimmediately,oftenwithemptyReceiveMessageResponses.WhatisonethingthatcanbedonetoreduceAmazonSQScosts?

A. PricingonAmazonSQSdoesnotincludeacostforservicerequests;therefore,thereisnoconcern.

B. Increasethetimeoutvalueforshortpollingtowaitformessageslongerbeforereturningaresponse.

C. Changethemessagevisibilityvaluetoahighernumber.

D. UselongpollingbysupplyingaWaitTimeSecondsofgreaterthan0secondswhencallingReceiveMessage.

13. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)longpollingtimeout?

A. 10seconds

B. 20seconds

C. 30seconds

D. 1hour

14. WhatisthelongestconfigurablemessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?

A. 30minutes

B. 4days

C. 30seconds

D. 14days

15. WhatisthedefaultmessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?

A. 30minutes

B. 4days

C. 30seconds

D. 14days

16. AmazonSimpleNotificationService(AmazonSNS)isapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.Whattypesofclientsaresupported?

A. JavaandJavaScriptclientsthatsupportpublisherandsubscribertypes

B. ProducersandconsumerssupportedbyCandC++clients

C. MobileandAMQPsupportforpublisherandsubscriberclienttypes

D. Publisherandsubscriberclienttypes

17. InAmazonSimpleWorkflowService(AmazonSWF),adeciderisresponsibleforwhat?

A. Executingeachstepofthework

B. Definingworkcoordinationlogicbyspecifyingworksequencing,timing,andfailureconditions

C. Executingyourworkflow

D. RegisteringactivitiesandworkflowwithAmazonSWF

18. CananAmazonSimpleNotificationService(AmazonSNS)topicberecreatedwithapreviouslyusedtopicname?

A. Yes.Thetopicnameshouldtypicallybeavailableafter24hoursaftertheprevioustopicwiththesamenamehasbeendeleted.

B. Yes.Thetopicnameshouldtypicallybeavailableafter1–3hoursaftertheprevioustopicwiththesamenamehasbeendeleted.

C. Yes.Thetopicnameshouldtypicallybeavailableafter30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.

D. Atthistime,thisfeatureisnotsupported.

19. WhatshouldyoudoinordertograntadifferentAWSaccountpermissiontoyourAmazonSimpleQueueService(AmazonSQS)queue?

A. SharecredentialstoyourAWSaccountandhavetheotheraccount’sapplicationsuseyouraccount’scredentialstoaccesstheAmazonSQSqueue.

B. CreateauserforthataccountinAWSIdentityandAccessManagement(IAM)andestablishanIAMpolicythatgrantsaccesstothequeue.

C. CreateanAmazonSQSpolicythatgrantstheotheraccountaccess.

D. AmazonVirtualPrivateCloud(AmazonVPC)peeringmustbeusedtoachievethis.

20. CananAmazonSimpleNotificationService(AmazonSNS)messagebedeletedafterbeingpublishedtoatopic?

A. Onlyifasubscriber(s)has/havenotreadthemessageyet

B. OnlyiftheAmazonSNSrecallmessageparameterhasbeenset

C. No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.

D. Yes.HoweveritcanbedeletedonlyifthesubscribersareAmazonSQSqueues.

Chapter9DomainNameSystem(DNS)andAmazonRoute53THEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems




Planninganddesign


Familiaritywith:


Developingtoclientspecifications,includingpricing/cost(forexample,on-demandvs.reservedvs.spot;RTOandRPODRdesign)

Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)

Elasticityandscalability(forexample,auto-scaling,SQS,ELB,CloudFront)


3.1Recognizeandimplementsecureproceduresforoptimumclouddeploymentandmaintenance.

3.2Recognizecriticaldisaster-recoverytechniquesandtheirimplementation.

AmazonRoute53

DomainNameSystem(DNS)TheDomainNameSystem(DNS)issometimesadifficultconcepttounderstandbecauseitissoubiquitouslyusedinmakingtheInternetwork.Beforewegetintothedetails,let’sstartwithasimpleanalogy.TheInternetProtocol(IP)addressofyourwebsiteislikeyourphonenumber—itcouldchangeifyoumovetoanewarea(atleastyourlandlinecouldchange).DNSislikethephonebook.Ifsomeonewantstocallyouatyournewhouseorlocation,theymightlookyouupbynameinthephonebook.Iftheirphonebookhasn’tbeenupdatedsinceyoumoved,however,theymightcallyouroldhouse.Whenavisitorwantstoaccessyourwebsite,theircomputertakesthedomainnametypedin(www.amazon.com,forexample)andlooksuptheIPaddressforthatdomainusingDNS.

Morespecifically,DNSisaglobally-distributedservicethatisfoundationaltothewaypeopleusetheInternet.DNSusesahierarchicalnamestructure,anddifferentlevelsinthehierarchyareeachseparatedwithadot(.).Considerthedomainnameswww.amazon.comandaws.amazon.com.Inboththeseexamples,comistheTop-LevelDomain(TLD)andamazonistheSecond-LevelDomain(SLD).Therecanbeanynumberoflowerlevels(forexample,wwwandaws)belowtheSLD.

ComputersusetheDNShierarchytotranslatehumanreadablenames(forexample,www.amazon.com)intotheIPaddresses(forexample,192.0.2.1)thatcomputersusetoconnecttooneanother.Everytimeyouuseadomainname,aDNSservicemusttranslatethenameintothecorrespondingIPaddress.Insummary,ifyou’veusedtheInternet,you’veusedDNS.

AmazonRoute53isanauthoritativeDNSsystem.AnauthoritativeDNSsystemprovidesanupdatemechanismthatdevelopersusetomanagetheirpublicDNSnames.ItthenanswersDNSqueries,translatingdomainnamesintoIPaddressessothatcomputerscancommunicatewitheachother.

ThischapterisintendedtoprovideyouwithabaselineunderstandingofDNSandtheAmazonRoute53servicethatisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.

DomainNameSystem(DNS)ConceptsThissectionofthechapterdefinesDNSterms,describeshowDNSworks,andexplainscommonlyusedrecordtypes.

Top-LevelDomains(TLDs)ATop-LevelDomain(TLD)isthemostgeneralpartofthedomain.TheTLDisthefarthestportiontotheright(asseparatedbyadot).CommonTLDsare.com,.net,.org,.gov,.edu,and.io.

TLDsareatthetopofthehierarchyintermsofdomainnames.CertainpartiesaregivenmanagementcontroloverTLDsbytheInternetCorporationforAssignedNamesandNumbers(ICANN).ThesepartiescanthendistributedomainnamesundertheTLD,usuallythroughadomainregistrar.ThesedomainsareregisteredwiththeNetworkInformationCenter(InterNIC),aserviceofICANN,whichenforcestheuniquenessofdomainnames

http://www.amazon.com


http://aws.amazon.com


acrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.

DomainNamesAdomainnameisthehuman-friendlynamethatweareusedtoassociatingwithanInternetresource.Forinstance,amazon.comisadomainname.Somepeoplewillsaythattheamazonportionisthedomain,butwecangenerallyrefertothecombinedformasthedomainname.

TheURLaws.amazon.comisassociatedwiththeserversownedbyAWS.TheDNSallowsuserstoreachtheAWSserverswhentheytypeaws.amazon.comintotheirbrowsers.

IPAddressesAnIPaddressisanetworkaddressablelocation.EachIPaddressmustbeuniquewithinitsnetwork.Forpublicwebsites,thisnetworkistheentireInternet.

IPv4addresses,themostcommonformofaddresses,consistoffoursetsofnumbersseparatedbyadot,witheachsethavinguptothreedigits.Forexample,111.222.111.222couldbeavalidIPv4IPaddress.WithDNS,wemapanametothataddresssothatyoudonothavetorememberacomplicatedsetofnumbersforeachplaceyouwanttovisitonanetwork.

DuetothetremendousgrowthoftheInternetandthenumberofdevicesconnectedtoit,theIPv4addressrangehasquicklybeendepleted.IPv6wascreatedtosolvethisdepletionissue,andithasanaddressspaceof128bits,whichallowsfor340,282,366,920,938,463,463,374,607,431,768,211,456,or340undecillion,uniqueaddresses.Forhumanbeings,thisnumberisdifficulttoimagine,soconsiderthis:IfeachIPv4addresswereonegrainofsand,youwouldhaveenoughaddressestofillapproximatelyonedumptruckwithsand.IfeachIPv6addresswereonegrainofsand,youwouldhaveenoughsandtoequaltheapproximatesizeofthesun.Today,mostdevicesandnetworksstillcommunicateusingIPv4,butmigrationtoIPv6isproceedinggraduallyovertime.

HostsWithinadomain,thedomainownercandefineindividualhosts,whichrefertoseparatecomputersorservicesaccessiblethroughadomain.Forinstance,mostdomainownersmaketheirwebserversaccessiblethroughthebasedomain(example.com)andalsothroughthehostdefinitionwww(asinwww.example.com).

Youcanhaveotherhostdefinitionsunderthegeneraldomain,suchasApplicationProgramInterface(API)accessthroughanAPIhost(api.example.com)orFileTransferProtocol(FTP)accesswithahostdefinitionofFTPorfiles(ftp.example.comorfiles.example.com).Thehostnamescanbearbitraryiftheyareuniqueforthedomain.

SubdomainsDNSworksinahierarchalmannerandallowsalargedomaintobepartitionedorextendedintomultiplesubdomains.TLDscanhavemanysubdomainsunderthem.Forinstance,zappos.comandaudible.comarebothsubdomainsofthe.comTLD(althoughtheyaretypicallyjustcalleddomains).ThezapposoraudibleportioncanbereferredtoasanSLD.



http://example.com


http://api.example.com

http://ftp.example.com

http://files.example.com

Likewise,eachSLDcanhavesubdomainslocatedunderit.Forinstance,theURLforthehistorydepartmentofaschoolcouldbewww.history.school.edu.Thehistoryportionisasubdomain.

Thedifferencebetweenahostnameandasubdomainisthatahostdefinesacomputerorresource,whileasubdomainextendstheparentdomain.Subdomainsareamethodofsubdividingthedomainitself.

Whethertalkingaboutsubdomainsorhosts,youcanseethattheleft-mostportionsofadomainarethemostspecific.ThisishowDNSworks:frommosttoleastspecificasyoureadfromlefttoright.

FullyQualifiedDomainName(FQDN)DomainlocationsinaDNScanberelativetooneanotherand,assuch,canbesomewhatambiguous.AFullyQualifiedDomainName(FQDN),alsoreferredtoasanabsolutedomainname,specifiesadomain’slocationinrelationtotheabsoluterootoftheDNS.

ThismeansthattheFQDNspecifieseachparentdomainincludingtheTLD.AproperFQDNendswithadot,indicatingtherootoftheDNShierarchy.Forexample,mail.amazon.comisanFQDN.Sometimes,softwarethatcallsforanFQDNdoesnotrequiretheendingdot,butitisrequiredtoconformtoICANNstandards.

InFigure9.1,youcanseethattheentirestringistheFQDN,whichiscomposedofthedomainname,subdomain,root,TLD,SLDandhost.

FIGURE9.1FQDNcomponents

NameServersAnameserverisacomputerdesignatedtotranslatedomainnamesintoIPaddresses.These

http://www.history.school.edu

serversdomostoftheworkintheDNS.Becausethetotalnumberofdomaintranslationsistoomuchforanyoneserver,eachservermayredirectrequeststoothernameserversordelegateresponsibilityforthesubsetofsubdomainsforwhichtheyareresponsible.

Nameserverscanbeauthoritative,meaningthattheygiveanswerstoqueriesaboutdomainsundertheircontrol.Otherwise,theymaypointtootherserversorservecachedcopiesofothernameservers’data.

ZoneFilesAzonefileisasimpletextfilethatcontainsthemappingsbetweendomainnamesandIPaddresses.ThisishowaDNSserverfinallyidentifieswhichIPaddressshouldbecontactedwhenauserrequestsacertaindomainname.

Zonefilesresideinnameserversandgenerallydefinetheresourcesavailableunderaspecificdomain,ortheplacewhereonecangotogetthatinformation.

Top-LevelDomain(TLD)NameRegistrarsBecauseallofthenamesinagivendomainmustbeunique,thereneedstobeawaytoorganizethemsothatdomainnamesaren’tduplicated.Thisiswheredomainnameregistrarscomein.AdomainnameregistrarisanorganizationorcommercialentitythatmanagesthereservationofInternetdomainnames.AdomainnameregistrarmustbeaccreditedbyagenericTLD(gTLD)registryand/oracountrycodeTLD(ccTLD)registry.Themanagementisdoneinaccordancewiththeguidelinesofthedesignateddomainnameregistries.

StepsInvolvedinDomainNameSystem(DNS)ResolutionWhenyoutypeadomainnameintoyourbrowser,yourcomputerfirstchecksitshostfiletoseeifithasthatdomainnamestoredlocally.Ifitdoesnot,itwillcheckitsDNScachetoseeifyouhavevisitedthesitebefore.Ifitstilldoesnothavearecordofthatdomainname,itwillcontactaDNSservertoresolvethedomainname.

DNSis,atitscore,ahierarchicalsystem.Atthetopofthissystemarerootservers.ICANNdelegatesthecontroloftheseserverstovariousorganizations.

Asofthiswriting,thereare13rootserversinoperation.RootservershandlerequestsforinformationaboutTLDs.Whenarequestcomesinforadomainthatalower-levelnameservercannotresolve,aqueryismadetotherootserverforthedomain.

Inordertohandletheincrediblevolumeofresolutionsthathappeneveryday,theserootserversaremirroredandreplicated.Whenrequestsaremadetoacertainrootserver,therequestwillberoutedtothenearestmirrorofthatrootserver.

Therootserverswon’tactuallyknowwherethedomainishosted.Theywill,however,beabletodirecttherequestertothenameserversthathandlethespecifically-requestedTLD.

Forexample,ifarequestforwww.wikipedia.orgismadetotherootserver,itwillcheckitszonefilesforalistingthatmatchesthatdomainname,butitwillnotfindoneinitsrecords.Itwillinsteadfindarecordforthe.orgTLDandgivetherequestingentitytheaddressofthenameserverresponsiblefor.orgaddresses.

http://www.wikipedia.org

Top-LevelDomain(TLD)ServersAfterarootserverreturnstheIPaddressoftheappropriateserverthatisresponsiblefortheTLDofarequest,therequesterthensendsanewrequesttothataddress.

Tocontinuetheexamplefromtheprevioussection,therequestingentitywouldsendarequesttothenameserverresponsibleforknowingabout.orgdomainstoseeifitcanlocatewww.wikipedia.org.

Onceagain,whenthenameserversearchesitszonefilesforawww.wikipedia.orglisting,itwillnotfindoneinitsrecords.However,itwillfindalistingfortheIPaddressofthenameserverresponsibleforwikipedia.org.ThisisgettingmuchclosertothecorrectIPaddress.

Domain-LevelNameServersAtthispoint,therequesterhastheIPaddressofthenameserverthatisresponsibleforknowingtheactualIPaddressoftheresource.Itsendsanewrequesttothenameserverasking,onceagain,ifitcanresolvewww.wikipedia.org.

Thenameserverchecksitszonefiles,anditfindsazonefileassociatedwithwikipedia.org.Insideofthisfile,thereisarecordthatcontainstheIPaddressforthe.wwwhost.Thenameserverreturnsthefinaladdresstotherequester.

ResolvingNameServersInthepreviousscenario,wereferredtoarequester.Whatistherequesterinthissituation?

Inalmostallcases,therequesterwillbewhatiscalledaresolvingnameserver,whichisaserverthatisconfiguredtoaskotherserversquestions.Itsprimaryfunctionistoactasanintermediaryforauser,cachingpreviousqueryresultstoimprovespeedandprovidingtheaddressesofappropriaterootserverstoresolvenewrequests.

Auserwillusuallyhaveafewresolvingnameserversconfiguredontheircomputersystem.TheresolvingnameserversaretypicallyprovidedbyanInternetServiceProvider(ISP)orotherorganization.ThereareseveralpublicresolvingDNSserversthatyoucanquery.Thesecanbeconfiguredinyourcomputereitherautomaticallyormanually.

WhenyoutypeaURLintheaddressbarofyourbrowser,yourcomputerfirstlookstoseeifitcanfindtheresource’slocationlocally.Itchecksthehostfileonthecomputerandanylocallystoredcache.ItthensendstherequesttotheresolvingnameserverandwaitstoreceivetheIPaddressoftheresource.

Theresolvingnameserverthenchecksitscachefortheanswer.Ifitdoesn’tfindit,itgoesthroughthestepsoutlinedintheprevioussections.

Resolvingnameserverscompresstherequestingprocessfortheenduser.Theclientssimplyhavetoknowtoasktheresolvingnameserverswherearesourceislocated,andtheresolvingnameserverswilldotheworktoinvestigateandreturnthefinalanswer.

MoreAboutZoneFilesZonefilesarethewaythatnameserversstoreinformationaboutthedomainstheyknow.Themorezonefilesthatanameserverhas,themorerequestsitwillbeabletoanswerauthoritatively.Mostrequeststotheaveragenameserver,however,arefordomainsthatare



http://wikipedia.org


http://wikipedia.org

notinthelocalzonefile.

Iftheserverisconfiguredtohandlerecursivequeries,likearesolvingnameserver,itwillfindtheanswerandreturnit.Otherwise,itwilltelltherequestingentitywheretolooknext.

AzonefiledescribesaDNSzone,whichisasubsetoftheentireDNS.Zonefilesaregenerallyusedtoconfigureasingledomain,andtheycancontainanumberofrecordsthatdefinewhereresourcesareforthedomaininquestion.

Thezonefile’s$ORIGINdirectiveisaparameterequaltothezone’shighestlevelofauthoritybydefault.Ifazonefileisusedtoconfiguretheexample.comdomain,the$ORIGINwouldbesettoexample.com.

ThisparameteriseitherconfiguredatthetopofthezonefileordefinedintheDNSserver’sconfigurationfilethatreferencesthezonefile.Eitherway,thisparameterdefineswhatauthoritativerecordsthezonegoverns.

Similarly,the$TTLdirectiveconfiguresthedefaultTimetoLive(TTL)valueforresourcerecordsinthezone.Thisvaluedefinesthelengthoftimethatpreviouslyqueriedresultsareavailabletoacachingnameserverbeforetheyexpire.

RecordTypesEachzonefilecontainsrecords.Initssimplestform,arecordisasinglemappingbetweenaresourceandaname.ThesecanmapadomainnametoanIPaddressordefineresourcesforthedomain,suchasnameserversormailservers.Thissectiondescribeseachrecordtypeindetail.

StartofAuthority(SOA)RecordAStartofAuthority(SOA)recordismandatoryinallzonefiles,anditidentifiesthebaseDNSinformationaboutthedomain.EachzonecontainsasingleSOArecord.

TheSOArecordstoresinformationaboutthefollowing:

ThenameoftheDNSserverforthatzone

Theadministratorofthezone

Thecurrentversionofthedatafile

Thenumberofsecondsthatasecondarynameservershouldwaitbeforecheckingforupdates

Thenumberofsecondsthatasecondarynameservershouldwaitbeforeretryingafailedzonetransfer

Themaximumnumberofsecondsthatasecondarynameservercanusedatabeforeitmusteitherberefreshedorexpire

ThedefaultTTLvalue(inseconds)forresourcerecordsinthezone

AandAAAABothtypesofaddressrecordsmapahosttoanIPaddress.TheArecordisusedtomapahosttoanIPv4IPaddress,whileAAAArecordsareusedtomapahosttoanIPv6address.

CanonicalName(CNAME)ACanonicalName(CNAME)recordisatypeofresourcerecordintheDNSthatdefinesanaliasfortheCNAMEforyourserver(thedomainnamedefinedinanAorAAAArecord).

MailExchange(MX)MailExchange(MX)recordsareusedtodefinethemailserversusedforadomainandensurethatemailmessagesareroutedcorrectly.TheMXrecordshouldpointtoahostdefinedbyanAorAAAArecordandnotonedefinedbyaCNAME.

NameServer(NS)NameServer(NS)recordsareusedbyTLDserverstodirecttraffictotheDNSserverthatcontainstheauthoritativeDNSrecords.

Pointer(PTR)APointer(PTR)recordisessentiallythereverseofanArecord.PTRrecordsmapanIPaddresstoaDNSname,andtheyaremainlyusedtocheckiftheservernameisassociatedwiththeIPaddressfromwheretheconnectionwasinitiated.

SenderPolicyFramework(SPF)SenderPolicyFramework(SPF)recordsareusedbymailserverstocombatspam.AnSPFrecordtellsamailserverwhatIPaddressesareauthorizedtosendanemailfromyourdomainname.Forexample,ifyouwantedtoensurethatonlyyourmailserversendsemailsfromyourcompany’sdomain,suchasexample.com,youwouldcreateanSPFrecordwiththeIPaddressofyourmailserver.Thatway,anemailsentfromyourdomain,[email protected],wouldneedtohaveanoriginatingIPaddressofyourcompanymailserverinordertobeaccepted.Thispreventspeoplefromspoofingemailsfromyourdomainname.

Text(TXT)Text(TXT)recordsareusedtoholdtextinformation.Thisrecordprovidestheabilitytoassociatesomearbitraryandunformattedtextwithahostorothername,suchashumanreadableinformationaboutaserver,network,datacenter,andotheraccountinginformation.

Service(SRV)AService(SRV)recordisaspecificationofdataintheDNSdefiningthelocation(thehostnameandportnumber)ofserversforspecifiedservices.TheideabehindSRVisthat,givenadomainname(forexample,example.com)andaservicename(forexample,web[HTTP],whichrunsonaprotocol[TCP]),aDNSquerymaybeissuedtofindthehostnamethatprovidessuchaserviceforthedomain,whichmayormaynotbewithinthedomain.

http://[email protected]

AmazonRoute53OverviewNowthatyouhaveafoundationalunderstandingofDNSandthedifferentDNSrecordtypes,youcanexploreAmazonRoute53.AmazonRoute53isahighlyavailableandscalablecloudDNSwebservicethatisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplications.

AmazonRoute53performsthreemainfunctions:

Domainregistration—AmazonRoute53letsyouregisterdomainnames,suchasexample.com.

DNSservice—AmazonRoute53translatesfriendlydomainnameslikewww.example.comintoIPaddresseslike192.0.2.1.AmazonRoute53respondstoDNSqueriesusingaglobalnetworkofauthoritativeDNSservers,whichreduceslatency.TocomplywithDNSstandards,responsessentoverUserDatagramProtocol(UDP)arelimitedto512bytesinsize.Responsesexceeding512bytesaretruncated,andtheresolvermustre-issuetherequestoverTCP.

Healthchecking—AmazonRoute53sendsautomatedrequestsovertheInternettoyourapplicationtoverifythatit’sreachable,available,andfunctional.

Youcanuseanycombinationofthesefunctions.Forexample,youcanuseAmazonRoute53asbothyourregistrarandyourDNSservice,oryoucanuseAmazonRoute53astheDNSserviceforadomainthatyouregisteredwithanotherdomainregistrar.

DomainRegistrationIfyouwanttocreateawebsite,youfirstneedtoregisterthedomainname.Ifyoualreadyregisteredadomainnamewithanotherregistrar,youhavetheoptiontotransferthedomainregistrationtoAmazonRoute53.Itisn’trequiredtouseAmazonRoute53asyourDNSserviceortoconfigurehealthcheckingforyourresources.

AmazonRoute53supportsdomainregistrationforawidevarietyofgenericTLDs(forexample,.comand.org)andgeographicTLDs(forexample,.beand.us).ForacompletelistofsupportedTLDs,refertotheAmazonRoute53DeveloperGuideathttps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/.

DomainNameSystem(DNS)ServiceAsstatedpreviously,AmazonRoute53isanauthoritativeDNSservicethatroutesInternettraffictoyourwebsitebytranslatingfriendlydomainnamesintoIPaddresses.Whensomeoneentersyourdomainnameinabrowserorsendsyouanemail,aDNSrequestisforwardedtothenearestAmazonRoute53DNSserverinaglobalnetworkofauthoritativeDNSservers.AmazonRoute53respondswiththeIPaddressthatyouspecified.

IfyouregisteranewdomainnamewithAmazonRoute53,AmazonRoute53willbeautomaticallyconfiguredastheDNSserviceforthedomain,andahostedzonewillbecreatedforyourdomain.Youaddresourcerecordsetstothehostedzone,whichdefinehowyouwantAmazonRoute53torespondtoDNSqueriesforyourdomain(forexample,withtheIPaddressforawebserver,theIPaddressforthenearestAmazonCloudFrontedgelocation,or


https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/

theIPaddressforanElasticLoadBalancingloadbalancer).

Ifyouregisteredyourdomainwithanotherdomainregistrar,thatregistrarisprobablyprovidingtheDNSserviceforyourdomain.YoucantransferDNSservicetoAmazonRoute53,withorwithouttransferringregistrationforthedomain.

Ifyou’reusingAmazonCloudFront,AmazonSimpleStorageService(AmazonS3),orElasticLoadBalancing,youcanconfigureAmazonRoute53torouteInternettraffictothoseresources.

HostedZonesAhostedzoneisacollectionofresourcerecordsetshostedbyAmazonRoute53.LikeatraditionalDNSzonefile,ahostedzonerepresentsresourcerecordsetsthataremanagedtogetherunderasingledomainname.Eachhostedzonehasitsownmetadataandconfigurationinformation.

Therearetwotypesofhostedzones:privateandpublic.AprivatehostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficforadomainanditssubdomainswithinoneormoreAmazonVirtualPrivateClouds(AmazonVPCs).ApublichostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficontheInternetforadomain(forexample,example.com)anditssubdomains(forexample,apex.example.comandacme.example.com).

Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.Forexample,theexample.comhostedzonecancontainresourcerecordsetsforthewww.example.comandwww.aws.example.comsubdomains,butitcannotcontainresourcerecordsetsforawww.example.casubdomain.

YoucanuseAmazonS3tohostyourstaticwebsiteatthehostedzone(forexample,domain.com)andredirectallrequeststoasubdomain(forexample,www.domain.com).Then,inAmazonRoute53,youcancreateanaliasresourcerecordthatsendsrequestsfortherootdomaintotheAmazonS3bucket.

Useanaliasrecord,notaCNAME,foryourhostedzone.CNAMEsarenotallowedforhostedzonesinAmazonRoute53.

DonotuseArecordsforsubdomains(forexample,www.domain.com),astheyrefertohardcodedIPaddresses.Instead,useAmazonRoute53aliasrecordsortraditionalCNAMErecordstoalwayspointtotherightresource,whereveryoursiteishosted,evenwhenthephysicalserverhaschangeditsIPaddress.


http://www.aws.example.com

http://www.example.ca

http://www.domain.com


SupportedRecordTypesAmazonRoute53supportsthefollowingDNSresourcerecordtypes.WhenyouaccessAmazonRoute53usingtheAPI,youwillseeexamplesofhowtoformattheValueelementforeachrecordtype.Supportedrecordtypesinclude:

A

AAAA

CNAME

MX

NS

PTR

SOA

SPF

SRV

TXT

RoutingPolicies

Whenyoucreatearesourcerecordset,youchoosearoutingpolicy,whichdetermineshowAmazonRoute53respondstoqueries.Routingpolicyoptionsaresimple,weighted,latency-based,failover,andgeolocation.Whenspecified,AmazonRoute53evaluatesaresource’srelativeweight,theclient’snetworklatencytotheresource,ortheclient’sgeographicallocationwhendecidingwhichresourcetosendbackinaDNSresponse.

Routingpoliciescanbeassociatedwithhealthchecks,soresourcehealthstatusisconsideredbeforeitevenbecomesacandidateinaconditionaldecisiontree.Adescriptionofpossibleroutingpoliciesandmoreonhealthcheckingiscoveredinthissection.

SimpleThisisthedefaultroutingpolicywhenyoucreateanewresource.Useasimpleroutingpolicywhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain(forexample,onewebserverthatservescontentfortheexample.comwebsite).Inthiscase,AmazonRoute53respondstoDNSqueriesbasedonlyonthevaluesintheresourcerecordset(forexample,theIPaddressinanArecord).

WeightedWithweightedDNS,youcanassociatemultipleresources(suchasAmazonElasticComputeCloud[AmazonEC2]instancesorElasticLoadBalancingloadbalancers)withasingleDNSname.

Usetheweightedroutingpolicywhenyouhavemultipleresourcesthatperformthesamefunction(suchaswebserversthatservethesamewebsite),andyouwantAmazonRoute53toroutetraffictothoseresourcesinproportionsthatyouspecify.Forexample,youmayusethisforloadbalancingbetweendifferentAWSregionsortotestnewversionsofyourwebsite

(youcansend10percentoftraffictothetestenvironmentand90percentoftraffictotheolderversionofyourwebsite).

Tocreateagroupofweightedresourcerecordsets,youneedtocreatetwoormoreresourcerecordsetsthathavethesameDNSnameandtype.Youthenassigneachresourcerecordsetauniqueidentifierandarelativeweight.

WhenprocessingaDNSquery,AmazonRoute53searchesforaresourcerecordsetoragroupofresourcerecordsetsthathavethesamenameandDNSrecordtype(suchasanArecord).AmazonRoute53thenselectsonerecordfromthegroup.Theprobabilityofanyresourcerecordsetbeingselectedisgovernedbythefollowingformula:

Latency-BasedLatency-basedroutingallowsyoutorouteyourtrafficbasedonthelowestnetworklatencyforyourenduser(forexample,usingtheAWSregionthatwillgivethemthefastestresponsetime).

UsethelatencyroutingpolicywhenyouhaveresourcesthatperformthesamefunctioninmultipleAWSAvailabilityZonesorregionsandyouwantAmazonRoute53torespondtoDNSqueriesusingtheresourcesthatprovidethebestlatency.Forexample,supposeyouhaveElasticLoadBalancingloadbalancersintheU.S.West(Oregon)regionandintheAsiaPacific(Singapore)region,andyoucreatedalatencyresourcerecordsetinAmazonRoute53foreachloadbalancer.AuserinLondonentersthenameofyourdomaininabrowser,andDNSroutestherequesttoanAmazonRoute53nameserver.AmazonRoute53referstoitsdataonlatencybetweenLondonandtheSingaporeregionandbetweenLondonandtheOregonregion.IflatencyislowerbetweenLondonandtheOregonregion,AmazonRoute53respondstotheuser’srequestwiththeIPaddressofyourloadbalancerinOregon.IflatencyislowerbetweenLondonandtheSingaporeregion,AmazonRoute53respondswiththeIPaddressofyourloadbalancerinSingapore.

FailoverUseafailoverroutingpolicytoconfigureactive-passivefailover,inwhichoneresourcetakesallthetrafficwhenit’savailableandtheotherresourcetakesallthetrafficwhenthefirstresourceisn’tavailable.Notethatyoucan’tcreatefailoverresourcerecordsetsforprivatehostedzones.

Forexample,youmightwantyourprimaryresourcerecordsettobeinU.S.West(N.California)andyoursecondary,DisasterRecovery(DR),resource(s)tobeinU.S.East(N.Virginia).AmazonRoute53willmonitorthehealthofyourprimaryresourceendpointsusingahealthcheck.

AhealthchecktellsAmazonRoute53howtosendrequeststotheendpointwhosehealthyouwanttocheck:whichprotocoltouse(HTTP,HTTPS,orTCP),whichIPaddressandporttouse,and,forHTTP/HTTPShealthchecks,adomainnameandpath.

Afteryouhaveconfiguredahealthcheck,AmazonwillmonitorthehealthofyourselectedDNSendpoint.Ifyourhealthcheckfails,thenfailoverroutingpolicieswillbeappliedandyourDNSwillfailovertoyourDRsite.

GeolocationGeolocationroutingletsyouchoosewhereAmazonRoute53willsendyourtrafficbasedonthegeographiclocationofyourusers(thelocationfromwhichDNSqueriesoriginate).Forexample,youmightwantallqueriesfromEuropetoberoutedtoafleetofAmazonEC2instancesthatarespecificallyconfiguredforyourEuropeancustomers,withlocallanguagesandpricinginEuros.

Youcanalsousegeolocationroutingtorestrictdistributionofcontenttoonlythelocationsinwhichyouhavedistributionrights.Anotherpossibleuseisforbalancingloadacrossendpointsinapredictable,easy-to-managewaysothateachuserlocationisconsistentlyroutedtothesameendpoint.

Youcanspecifygeographiclocationsbycontinent,bycountry,orevenbystateintheUnitedStates.Youcanalsocreateseparateresourcerecordsetsforoverlappinggeographicregions,andprioritygoestothesmallestgeographicregion.Forexample,youmighthaveoneresourcerecordsetforEuropeandonefortheUnitedKingdom.Thisallowsyoutoroutesomequeriesforselectedcountries(inthisexample,theUnitedKingdom)tooneresourceandtoroutequeriesfortherestofthecontinent(inthisexample,Europe)toadifferentresource.

GeolocationworksbymappingIPaddressestolocations.Youshouldbecautious,however,assomeIPaddressesaren’tmappedtogeographiclocations.Evenifyoucreategeolocationresourcerecordsetsthatcoverallsevencontinents,AmazonRoute53willreceivesomeDNSqueriesfromlocationsthatitcan’tidentify.

Inthiscase,youcancreateadefaultresourcerecordsetthathandlesbothqueriesfromIPaddressesthataren’tmappedtoanylocationandqueriesthatcomefromlocationsforwhichyouhaven’tcreatedgeolocationresourcerecordsets.Ifyoudon’tcreateadefaultresourcerecordset,AmazonRoute53returnsa“noanswer”responseforqueriesfromthoselocations.

Youcannotcreatetwogeolocationresourcerecordsetsthatspecifythesamegeographiclocation.Youalsocannotcreategeolocationresourcerecordsetsthathavethesamevaluesfor“Name”and“Type”asthe“Name”and“Type”ofnon-geolocationresourcerecordsets.

MoreonHealthCheckingAmazonRoute53healthchecksmonitorthehealthofyourresourcessuchaswebserversandemailservers.YoucanconfigureAmazonCloudWatchalarmsforyourhealthcheckssothatyoureceivenotificationwhenaresourcebecomesunavailable.YoucanalsoconfigureAmazonRoute53torouteInternettrafficawayfromresourcesthatareunavailable.

HealthchecksandDNSfailoveraremajortoolsintheAmazonRoute53featuresetthathelpmakeyourapplicationhighlyavailableandresilienttofailures.IfyoudeployanapplicationinmultipleAvailabilityZonesandmultipleAWSregions,withAmazonRoute53healthchecksattachedtoeveryendpoint,AmazonRoute53cansendbackalistofhealthyendpointsonly.Healthcheckscanautomaticallyswitchtoahealthyendpointwithminimal

disruptiontoyourclientsandwithoutanyconfigurationchanges.Youcanusethisautomaticrecoveryscenarioinactive-activeoractive-passivesetups,dependingonwhetheryouradditionalendpointsarealwayshitbylivetrafficoronlyafterallprimaryendpointshavefailed.Usinghealthchecksandautomaticfailovers,AmazonRoute53improvesyourserviceuptime,especiallywhencomparedtothetraditionalmonitor-alert-restartapproachofaddressingfailures.

AmazonRoute53healthchecksarenottriggeredbyDNSqueries;theyarerunperiodicallybyAWS,andresultsarepublishedtoallDNSservers.Thisway,nameserverscanbeawareofanunhealthyendpointandroutedifferentlywithinapproximately30secondsofaproblem(afterthreefailedtestsinarow),andnewDNSresultswillbeknowntoclientsaminutelater(assumingyourTTLis60seconds),bringingcompleterecoverytimetoaboutaminuteandahalfintotalinthisscenario.

The2014AWSre:InventsessionSDD408,“AmazonRoute53DeepDive:DeliveringResiliency,MinimizingLatency,”introducedasetofbestpracticesforAmazonRoute53.ExplorethosebestpracticestohelpyougetstartedusingAmazonRoute53asabuildingblocktodeliverhighly-availableandresilientapplicationsonAWS.

AmazonRoute53EnablesResiliencyWhenpullingtheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures,considerthesebuildingblocks:

IneveryAWSregion,anElasticLoadBalancingloadbalancerissetupwithcross-zoneloadbalancingandconnectiondraining.ThisdistributestheloadevenlyacrossallinstancesinallAvailabilityZones,anditensuresrequestsinflightarefullyservedbeforeanAmazonEC2instanceisdisconnectedfromanElasticLoadBalancingloadbalancerforanyreason.

EachElasticLoadBalancingloadbalancerdelegatesrequeststoAmazonEC2instancesrunninginmultipleAvailabilityZonesinanauto-scalinggroup.ThisprotectstheapplicationfromAvailabilityZoneoutages,ensuresthataminimalamountofinstancesisalwaysrunning,andrespondstochangesinloadbyproperlyscalingeachgroup’sAmazonEC2instances.

EachElasticLoadBalancingloadbalancerhashealthchecksdefinedtoensurethatitdelegatesrequestsonlytohealthyinstances.

EachElasticLoadBalancingloadbalanceralsohasanAmazonRoute53healthcheckassociatedwithittoensurethatrequestsareroutedonlytoloadbalancersthathavehealthyAmazonEC2instances.

Theapplication’sproductionenvironment(forexample,prod.domain.com)hasAmazonRoute53aliasrecordsthatpointtoElasticLoadBalancingloadbalancers.Theproductionenvironmentalsousesalatency-basedroutingpolicythatisassociatedwithElasticLoadBalancinghealthchecks.Thisensuresthatrequestsareroutedtoahealthyloadbalancer,therebyprovidingminimallatencytoaclient.

Theapplication’sfailoverenvironment(forexample,fail.domain.com)hasanAmazonRoute53aliasrecordthatpointstoanAmazonCloudFrontdistributionofanAmazonS3buckethostingastaticversionoftheapplication.

Theapplication’ssubdomain(forexample,www.domain.com)hasanAmazonRoute53aliasrecordthatpointstoprod.domain.com(asprimarytarget)andfail.domain.com(assecondarytarget)usingafailoverroutingpolicy.Thisensureswww.domain.comroutestotheproductionloadbalancersifatleastoneofthemishealthyorthe“failwhale”ifallofthemappeartobeunhealthy.

Theapplication’shostedzone(forexample,domain.com)hasanAmazonRoute53aliasrecordthatredirectsrequeststowww.domain.comusinganAmazonS3bucketofthesamename.

Applicationcontent(bothstaticanddynamic)canbeservedusingAmazonCloudFront.ThisensuresthatthecontentisdeliveredtoclientsfromAmazonCloudFrontedgelocationsspreadallovertheworldtoprovideminimallatency.ServingdynamiccontentfromaContentDeliveryNetwork(CDN),whereitiscachedforshortperiodsoftime(thatis,severalseconds),takestheloadoffoftheapplicationandfurtherimprovesitslatencyandresponsiveness.

TheapplicationisdeployedinmultipleAWSregions,protectingitfromaregionaloutage.




SummaryInthischapter,youlearnedthefundamentalsofDNS,whichisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).

DNSstartswithTLDs(forexample,.com,.edu).TheInternetAssignedNumbersAuthority(IANA)controlstheTLDsinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.

DNSnamesareregisteredwithadomainregistrar.AregistrarisanauthoritythatcanassigndomainnamesdirectlyunderoneormoreTLDs.ThesedomainsareregisteredwithInterNIC,aserviceofICANN,whichenforcestheuniquenessofdomainnamesacrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.

DNSconsistsofanumberofdifferentrecordtypes,includingbutnotlimitedtothefollowing:

A

AAAA

CNAME

MX

NS

PTR

SOA

SPF

TXT

AmazonRoute53isahighlyavailableandhighlyscalableAWS-providedDNSservice.AmazonRoute53connectsuserrequeststoinfrastructurerunningonAWS(forexample,AmazonEC2instancesandElasticLoadBalancingloadbalancers).ItcanalsobeusedtorouteuserstoinfrastructureoutsideofAWS.

WithAmazonRoute53,yourDNSrecordsareorganizedintohostedzonesthatyouconfigurewiththeAmazonRoute53API.Ahostedzonesimplystoresrecordsforyourdomain.TheserecordscanconsistofA,CNAME,MX,andothersupportedrecordtypes.

AmazonRoute53allowsyoutohaveseveraldifferentroutingpolicies,includingthefollowing:

Simple—Mostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain

Weighted—Usedwhenyouwanttorouteapercentageofyourtraffictooneparticularresourceorresources

Latency-Based—Usedtorouteyourtrafficbasedonthelowestlatencysothatyour

usersgetthefastestresponsetimes

Failover—UsedforDRandtorouteyourtrafficfromyourresourcesinaprimarylocationtoastandbylocation

Geolocation—Usedtorouteyourtrafficbasedonyourenduser’slocation

Remembertopulltheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures.UseElasticLoadBalancingloadbalancersacrossAvailabilityZoneswithconnectiondrainingenabled,usehealthchecksdefinedtoensurethattheapplicationdelegatesrequestsonlytohealthyAmazonEC2instances,andusealatency-basedroutingpolicywithElasticLoadBalancinghealthcheckstoensurerequestsareroutedwithminimallatencytoclients.UseAmazonCloudFrontedgelocationstospreadcontentallovertheworldwithminimalclientlatency.DeploytheapplicationinmultipleAWSregions,protectingitfromaregionaloutage.

ExamEssentialsUnderstandwhatDNSis.DNSisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).

KnowhowDNSregistrationworks.DomainsareregisteredwithdomainregistrarsthatinturnregisterthedomainnamewithInterNIC,aserviceofICANN.ICANNenforcesuniquenessofdomainnamesacrosstheInternet.EachdomainnamebecomesregisteredinacentraldatabaseknownastheWhoISdatabase.DomainsaredefinedbytheirTLDs.TLDsarecontrolledbyIANAinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.

RememberthestepsinvolvedinDNSresolution.YourbrowseraskstheresolvingDNSserverwhattheIPaddressisforamazon.com.Theresolvingserverdoesnotknowtheaddress,soitasksarootserverthesamequestion.Thereare13rootserversaroundtheworld,andthesearemanagedbyICANN.Therootserverrepliesthatitdoesnotknowtheanswertothis,butitcangiveanaddresstoaTLDserverthatknowsabout.comdomainnames.TheresolvingserverthencontactstheTLDserver.TheTLDserverdoesnotknowtheaddressofthedomainnameeither,butitdoesknowtheaddressoftheresolvingnameserver.Theresolvingserverthenqueriestheresolvingnameserver.Theresolvingnameservercontainstheauthoritativerecordsandsendsthesetotheresolvingserver,whichthensavestheserecordslocallysoitdoesnothavetoperformthesestepsagaininthenearfuture.Theresolvingnameserverreturnsthisinformationtotheuser’swebbrowser,whichalsocachestheinformation.

Rememberthedifferentrecordtypes.DNSconsistsofthefollowingdifferentrecordtypes:A(addressrecord),AAAA(IPv6addressrecord),CNAME(canonicalnamerecordoralias),MX(mailexchangerecord),NS(nameserverrecord),PTR(pointerrecord),SOA(startofauthorityrecord),SPF(senderpolicyframework),SRV(servicelocator),andTXT(textrecord).Youshouldknowthedifferencesamongeachrecordtype.

Rememberthedifferentroutingpolicies.WithAmazonRoute53,youcanhavedifferentroutingpolicies.Thesimpleroutingpolicyismostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain.Weightedroutingisusedwhenyouwanttorouteapercentageofyourtraffictoaparticularresourceorresources.Latency-basedroutingisusedtorouteyourtrafficbasedonthelowestlatencysothatyourusersgetthefastestresponsetimes.FailoverroutingisusedforDRandtorouteyourtrafficfromaprimaryresourcetoastandbyresource.Geolocationroutingisusedtorouteyourtrafficbasedonyourenduser’slocation.

ExercisesInthissection,youexplorethedifferenttypesofDNSroutingpoliciesthatyoucancreateusingAWS.Forspecificstep-by-stepinstructions,refertotheAmazonRoute53informationanddocumentationathttp://aws.amazon.com/route53/.Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnotAWSFreeTiereligible.HostingazoneonAmazonRoute53shouldcostyouaminimalamountpermonthperhostedzone,andadditionalchargeswillbelevieddependingontheroutingpolicyyouuse.ForcurrentinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.

EXERCISE9.1

CreateaNewZone1. LogintotheAWSManagementConsole.

2. NavigatetoAmazonRoute53,andcreateahostedzone.

3. Enteryourdomainname,andcreateyournewzonefile.

4. Inthenewzonefile,youwillseetheSOArecordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsite,andupdatethenameserverswithyourAWSnameservers.

5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.

YouhavenowcreatedyourfirstAmazonRoute53zone.

EXERCISE9.2

CreateTwoWebServersinTwoDifferentRegionsInthisexercise,youwillcreatetwonewAmazonEC2webserversindifferentAWSregions.YouwillusetheseinthefollowingexerciseswhensettingupAmazonRoute53toaccessthewebservers.

CreateanAmazonEC2Instance1. LogintotheAWSManagementConsole.

2. ChangeyourregiontoAsiaPacific(Sydney).

3. IntheComputesection,loadtheAmazonEC2dashboard.Launchaninstance,andselectthefirstAmazonLinuxAmazonMachineImage(AMI).

4. Selecttheinstancetype,andconfigureyourinstancedetails.Takeacloselookatthedifferentoptionsavailabletoyou,andchangeyourinstance’sstoragedevicesettingsasnecessary.

http://aws.amazon.com/route53/

http://aws.amazon.com/route53/pricing/

5. NametheinstanceSydney,andaddasecuritygroupthatallowsHTTP.

6. LaunchyournewAmazonEC2instance,andverifythatithaslaunchedproperly.

ConnecttoYourAmazonEC2Instance7. NavigatetotheAmazonEC2instanceintheAWSManagementConsole,andcopy

thepublicIPaddresstoyourclipboard.

8. UsingaSecureShell(SSH)clientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.

9. Whenpromptedabouttheauthenticityofthehost,typeYes,andcontinue.

10. YoushouldnowbeconnectedtoyourAmazonEC2instance.Elevateyourprivilegestorootbytyping#sudosu.

11. Whileyou’reloggedinastherootusertoyourAmazonEC2instance,runthefollowingcommandtoinstallApachehttpd:

#yuminstallhttpd-y

12. Aftertheinstallationhascompleted,runthecommand#servicehttpdstartfollowedby#chkconfighttpdon.

13. NavigatetotheEC2instance,andtype:cd/var/www/html

14. Type#nanoindex.htmlandpressEnter.

15. InNano,typeThisistheSydneyServerandthenpressCtrl+X.

16. TypeYtoconfirmthatyouwanttosavethechanges,andthenpressEnter.

17. Type#ls.Youshouldnowseeyournewlycreatedindex.htmlfile.

18. Inyourbrowser,navigatetohttp://yourpublicipaddress/index.html.

Youshouldnowseeyour“ThisistheSydneyServer”homepage.Ifyoudonotseethis,checkyoursecuritygrouptomakesureyouallowedaccessforport80.

CreateanElasticLoadBalancingLoadBalancer19. ReturntotheAWSManagementConsole,andnavigatetotheAmazonEC2

dashboard.

20. CreatealoadbalancernamedSydney,leavingthesettingsattheirdefaultvalues.

21. Createyoursecuritygroup,andallowalltrafficinonport80.

22. Configurehealthcheck,leavingthesettingsattheirdefaultvalues.

23. Selectyournewlyaddedinstance.Addtagshereifyouwanttotagyourinstances.

24. ClickCreatetoprovisionyourloadbalancer.

CreateTheseResourcesinaSecondRegion25. ReturntotheAWSManagementConsole,andchangeyourregiontoSouthAmerica

(SaoPaulo).

http://yourpublicipaddress/index.html

26. RepeatthethreeproceduresinthissectiontoaddasecondAmazonEC2instanceandaloadbalancerinthisnewregion.

YouhavenowcreatedtwowebserversindifferentregionsoftheworldandplacedtheseregionsbehindElasticLoadBalancingloadbalancers.

EXERCISE9.3

CreateanAliasARecordwithaSimpleRoutingPolicy1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.

2. Selectyournewly-createdzonedomainname,andcreatearecordsetwiththenameA−IPv4Address

3. Createanalias,leavingyourroutingpolicysettoSimple.

4. Inyourwebbrowser,navigatetoyourdomainname.YoushouldnowseeawelcomescreenfortheSydneyregion.Ifyoudonotseethis,checkthatyourAmazonEC2instanceisattachedtoyourloadbalancerandthattheinstanceisinservice.Iftheinstanceisnotinservice,thismeansthatitisfailingitshealthcheck.CheckthatApacheHTTPServer(HTTPD)isrunningandthatyourindex.htmldocumentisaccessible.

YouhavenowcreatedyourfirstAliasArecordforthezoneapexusingthesimpleroutingpolicy.

EXERCISE9.4

CreateaWeightedRoutingPolicy1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.

2. Navigatetohostedzones,andselectyournewly-createdzonedomainname.

3. Createarecordsetwithtypesettodeveloper.Thiswillcreateasubdomainofdeveloper.yourdomainname.com.

4. SelectyourSydneyloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andatypeofSydney.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.

5. Createanotherrecordsetwithtypesettodeveloper.Thiswilladdanewrecordwiththesamenameyoucreatedearlier.Bothrecordswillworktogether.

6. SelectyourSaoPauloloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andtypeofSaoPaulo.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.

7. TestyourDNSbyvisitinghttp://developer.yourdomainname.comandrefreshingthepage.YoushouldbeaccessingtheSydneyserver50percentofthetimeandtheSaoPauloservertheother50percentofthetime.

YouhavenowcreatedaweightedDNSroutingpolicy.Youcancontinuetoexperimentwithotherroutingpoliciesbyfollowingthedocumentationathttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html.

EXERCISE9.5

CreateaHostedZoneforAmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCdetailsarecoveredinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”

CreateaPrivateHostedZone1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.

2. Createahostedzone,andenteryourprivatedomainname.

3. SelectthedefaultAmazonVPCthatyouusedinExercise9.2todeploythefirstserverintheAsiaPacific(Sydney)region.ClickCreate.Thiswillcreateanewzonefile.

VerifyAmazonVPCConfiguration4. ReturntotheAWSManagementConsole,andchangeyourregiontoAsiaPacific

http://developer.yourdomainname.com

http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

(Sydney).

5. IntheAmazonVPCdashboard,chooseyourAmazonVPC.

6. ClickonthedefaultAmazonVPCfromthelist.EnsurethatbothDNSresolutionandDNShostnamesareenabled.Thesesettingsneedtouseprivatehostedzones.

CreateResourceRecordSets7. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53

dashboard.

8. Selectyournewly-createdprivatezonedomainname,andcreatearecordset.

9. EnterthenameyouwanttogivetoyourAmazonEC2instance(forexample,webserver1),andselectIPv4addresswithnoalias.

10. EntertheinternalIPaddressofyourAmazonEC2instancethatyounotedinExercise9.2.

11. LeaveyourroutingpolicysettoSimple,andclickCreate.

ConnecttoYourAmazonEC2Instance12. OntheAmazonEC2instancesscreen,waituntilyouseeyourvirtualmachine’s

instancestateasrunning.CopythepublicIPaddresstoyourclipboard.

13. UsinganSSHclientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.Forexample,ifyou’reusingTerminalinOSX,youwouldtypethefollowingcommand:

[email protected]

14. Whenpromptedabouttheauthenticityofthehost,typeYesandcontinue.YoushouldnowbeconnectedtoyourAmazonEC2instance.

15. Whileyou’reloggedintoyourAmazonEC2instance,runthefollowingcommandtocheckifthehostnamesinAmazonRoute53areresolving:

nslookupwebserver1.yourprivatehostedzone.com

16. Youshouldreceiveanon-authoritativeanswerwiththehostnameandIPaddressfortherecordsetthatyoucreatedinAmazonRoute53.

YouhavenowcreatedaprivatehostedzoneinAmazonRoute53andassociateditwithanAmazonVPC.YoucancontinuetoaddinstancesinAmazonVPCandcreateresourcerecordsetsfortheminAmazonRoute53.Thesenewinstanceswouldbeabletointer-communicatewiththeinstancesinthesameAmazonVPCusingthedomainnamethatyoucreated.

RemembertodeleteyourAmazonEC2instancesandElasticLoadBalancingloadbalancersafteryou’vefinishedexperimentingwithyourdifferentroutingpolicies.Youmayalsowanttodeletethezoneifyouarenolongerusingit.

ReviewQuestions1. WhichtypeofrecordiscommonlyusedtoroutetraffictoanIPv6address?

A. AnArecord

B. ACNAME

C. AnAAAArecord

D. AnMXrecord

2. Wheredoyouregisteradomainname?

A. Withyourlocalgovernmentauthority

B. Withadomainregistrar

C. WithInterNICdirectly

D. WiththeInternetAssignedNumbersAuthority(IANA)

3. YouhaveanapplicationthatforlegalreasonsmustbehostedintheUnitedStateswhenU.S.citizensaccessit.TheapplicationmustbehostedintheEuropeanUnionwhencitizensoftheEUaccessit.Forallothercitizensoftheworld,theapplicationmustbehostedinSydney.Whichroutingpolicyshouldyouchooseinordertoachievethis?

A. Latency-basedrouting

B. Simplerouting

C. Geolocationrouting

D. Failoverrouting

4. WhichtypeofDNSrecordshouldyouusetoresolveanIPaddresstoadomainname?

A. AnArecord

B. ACName

C. AnSPFrecord

D. APTRrecord

5. YouhostawebapplicationacrossmultipleAWSregionsintheworld,andyouneedtoconfigureyourDNSsothatyourenduserswillgetthefastestnetworkperformancepossible.Whichroutingpolicyshouldyouapply?

A. Geolocationrouting

B. Latency-basedrouting

C. Simplerouting

D. Weightedrouting

6. WhichDNSrecordshouldyouusetoconfigurethetransmissionofemailtoyourintendedmailserver?

A. SPFrecords

B. Arecords

C. MXrecords

D. SOArecord

7. WhichDNSrecordsarecommonlyusedtostopemailspoofingandspam?

A. MXrecords

B. SPFrecords

C. Arecords

D. Cnames

8. YouarerollingoutAandBtestversionsofawebapplicationtoseewhichversionresultsinthemostsales.Youneed10percentofyourtraffictogotoversionA,10percenttogotoversionB,andtheresttogotoyourcurrentproductionversion.Whichroutingpolicyshouldyouchoosetoachievethis?

A. Simplerouting

B. Weightedrouting

C. Geolocationrouting

D. Failoverrouting

9. WhichDNSrecordmustallzoneshavebydefault?

A. SPF

B. TXT

C. MX

D. SOA

10. YourcompanyhasitsprimaryproductionsiteinWesternEuropeanditsDRsiteintheAsiaPacific.YouneedtoconfigureDNSsothatifyourprimarysitebecomesunavailable,youcanfailDNSovertothesecondarysite.WhichDNSroutingpolicywouldbestachievethis?

A. Weightedrouting

B. Geolocationrouting

C. Simplerouting

D. Failoverrouting

11. WhichtypeofDNSrecordshouldyouusetoresolveadomainnametoanotherdomainname?

A. AnArecord

B. ACNAMErecord

C. AnSPFrecord

D. APTRrecord

12. WhichisafunctionthatAmazonRoute53doesnotperform?

A. Domainregistration

B. DNSservice

C. Loadbalancing

D. Healthchecks

13. WhichDNSrecordcanbeusedtostorehuman-readableinformationaboutaserver,network,andotheraccountingdatawithahost?

A. ATXTrecord

B. AnMXrecord

C. AnSPFrecord

D. APTRrecord

14. Whichresourcerecordsetwouldnotbeallowedforthehostedzoneexample.com?

A. www.example.com

B. www.aws.example.com

C. www.example.ca

D. www.beta.example.com

15. WhichportnumberisusedtoserverequestsbyDNS?

A. 22

B. 53

C. 161

D. 389

16. WhichprotocolisprimarilyusedbyDNStoserverequests?

A. TransmissionControlProtocol(TCP)

B. HyperTextTransferProtocol(HTTP)

C. FileTransferProtocol(FTP)

D. UserDatagramProtocol(UDP)

17. WhichprotocolisusedbyDNSwhenresponsedatasizeexceeds512bytes?

A. TransmissionControlProtocol(TCP)

B. HyperTextTransferProtocol(HTTP)

C. FileTransferProtocol(FTP)

D. UserDatagramProtocol(UDP)

18. WhatarethedifferenthostedzonesthatcanbecreatedinAmazonRoute53?


http://www.aws.example.com

http://www.example.ca

http://www.beta.example.com

1. Publichostedzone

2. Globalhostedzone

3. Privatehostedzone

A. 1and2

B. 1and3

C. 2and3

D. 1,2,and3

19. AmazonRoute53cannotroutequeriestowhichAWSresource?

A. AmazonCloudFrontdistribution

B. ElasticLoadBalancingloadbalancer

C. AmazonEC2

D. AWSOpsWorks

20. WhenconfiguringAmazonRoute53asyourDNSserviceforanexistingdomain,whichisthefirststepthatneedstobeperformed?

A. Createhostedzones.

B. Createresourcerecordsets.

C. RegisteradomainwithAmazonRoute53.

D. TransferdomainregistrationfromcurrentregistrartoAmazonRoute53.

Chapter10AmazonElastiCacheTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems

Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.


Planninganddesign

Architecturaltrade-offdecisions








IntroductionThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.ByusingtheAmazonElastiCacheservice,youcanoffloadtheheavyliftinginvolvedinthedeploymentandoperationofcacheenvironmentsrunningMemcachedorRedis.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:

Howtoimproveapplicationperformanceusingcaching

Howtolaunchcacheenvironmentsinthecloud

WhatarethebasicdifferencesandusecasesforMemcachedandRedis?

Howtoscaleyourclustervertically

HowtoscaleyourMemcachedclusterhorizontallyusingadditionalcachenodes

HowtoscaleyourRedisclusterhorizontallyusingreplicationgroups

HowtobackupandrecoveryourRediscluster

Howtoapplyalayeredsecuritymodel

In-MemoryCachingOneofthecommoncharacteristicsofasuccessfulapplicationisafastandresponsiveuserexperience.Researchhasshownthatuserswillgetfrustratedandleaveawebsiteorappwhenitisslowtorespond.In2007,testingofAmazon.com’sretailsiteshowedthatforevery100msincreaseinloadtimes,salesdecreasedby1%.Round-tripsbackandforthtoadatabaseanditsunderlyingstoragecanaddsignificantdelaysandareoftenthetopcontributortoapplicationlatency.

Cachingfrequently-useddataisoneofthemostimportantperformanceoptimizationsyoucanmakeinyourapplications.Comparedtoretrievingdatafromanin-memorycache,queryingadatabaseisanexpensiveoperation.Bystoringormovingfrequentlyaccesseddatain-memory,applicationdeveloperscansignificantlyimprovetheperformanceandresponsivenessofread-heavyapplications.Forexample,theapplicationsessionstateforalargewebsitecanbestoredinanin-memorycachingengine,insteadofstoringthesessiondatainthedatabase.

Formanyyears,developershavebeenbuildingapplicationsthatusecacheengineslikeMemcachedorRedistostoredatain-memorytogetblazingfastapplicationperformance.Memcachedisasimple-to-usein-memorykey/valuestorethatcanbeusedtostorearbitrarytypesofdata.Itisoneofthemostpopularcacheengines.Redisisaflexiblein-memorydatastructurestorethatcanbeusedasacache,database,orevenasamessagebroker.AmazonElastiCacheallowsdeveloperstoeasilydeployandmanagecacheenvironmentsrunningeitherMemcachedorRedis.

AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesthesetupandmanagementofdistributedin-memorycachingenvironments.Thisservicemakesiteasyandcosteffectivetoprovideahigh-performanceandscalablecachingsolutionforyourcloudapplications.YoucanuseAmazonElastiCacheinyourapplicationstospeedthedeploymentofcacheclustersandreducetheadministrationrequiredforadistributedcacheenvironment.

WithAmazonElastiCache,youcanchoosefromaMemcachedorRedisprotocol-compliantcacheengineandquicklylaunchaclusterwithinminutes.BecauseAmazonElastiCacheisamanagedservice,youcanstartusingtheservicetodaywithveryfewornomodificationstoyourexistingapplicationsthatuseMemcachedorRedis.BecauseAmazonElastiCacheisprotocol-compliantwithbothoftheseengines,youonlyneedtochangetheendpointinyourconfigurationfiles.

UsingAmazonElastiCache,youcanimplementanynumberofcachingpatterns.Themostcommonpatternisthecache-asidepatterndepictedinFigure10.1.Inthisscenario,theappserverchecksthecachefirsttoseeifitcontainsthedataitneeds.Ifthedatadoesnotexistinthecachenode,itwillquerythedatabaseandserializeandwritethequeryresultstothecache.Thenextuserrequestwillthenbeabletoreadthedatadirectlyfromthecacheinsteadofqueryingthedatabase.

FIGURE10.1Commoncachingarchitecture

WhileitiscertainlypossibletobuildandmanageacacheclusteryourselfonAmazonElasticComputeCloud(AmazonEC2),AmazonElastiCacheallowsyoutooffloadtheheavyliftingofinstallation,patchmanagement,andmonitoringtoAWSsoyoucanfocusonyourapplicationinstead.AmazonElastiCachealsoprovidesanumberoffeaturestoenhancethereliabilityofcriticaldeployments.Whileitisrare,theunderlyingAmazonEC2instancescanbecomeimpaired.AmazonElastiCachecanautomaticallydetectandrecoverfromthefailureofacachenode.WiththeRedisengine,AmazonElastiCachemakesiteasytosetupreadreplicasandfailoverfromtheprimarytoareplicaintheeventofaproblem.

DataAccessPatternsRetrievingaflatkeyfromanin-memorycachewillalwaysbefasterthanthemostoptimizeddatabasequery.Youshouldevaluatetheaccesspatternofthedatabeforeyoudecidetostoreitincache.Agoodexampleofsomethingtocacheisthelistofproductsinacatalog.Forabusywebsite,thelistofitemscouldberetrievedthousandsoftimespersecond.Whileitmakessensetocachethemostheavilyrequesteditems,youcanalsobenefitfromcachingitemsthatarenotfrequentlyrequested.

Therearealsosomedataitemsthatshouldnotbecached.Forexample,ifyougenerateauniquepageeveryrequest,youprobablyshouldnotcachethepageresults.However,even

thoughthepagechangeseverytime,itdoesmakesensetocachethecomponentsofthepagethatdonotchange.

CacheEnginesAmazonElastiCacheallowsyoutoquicklydeployclustersoftwodifferenttypesofpopularcacheengines:MemcachedandRedis.Atahighlevel,MemcachedandRedismayseemsimilar,buttheysupportavarietyofdifferentusecasesandprovidedifferentfunctionality.

MemcachedMemcachedprovidesaverysimpleinterfacethatallowsyoutowriteandreadobjectsintoin-memorykey/valuedatastores.WithAmazonElastiCache,youcanelasticallygrowandshrinkaclusterofMemcachednodestomeetyourdemands.Youcanpartitionyourclusterintoshardsandsupportparallelizedoperationsforveryhighperformancethroughput.Memcacheddealswithobjectsasblobsthatcanberetrievedusingauniquekey.Whatyouputintotheobjectisuptoyou,anditistypicallytheserializedresultsfromadatabasequery.Thiscouldbesimplestringvaluesorbinarydata.

AmazonElastiCachesupportsanumberofrecentversionsofMemcached.Asofearly2016,theservicesupportsMemcachedversion1.4.24,andalsoolderversionsgoingbackto1.4.5.WhenanewversionofMemcachedisreleased,AmazonElastiCachesimplifiestheupgradeprocessbyallowingyoutospinupanewclusterwiththelatestversion.

RedisInlate2013,AmazonElastiCacheaddedsupporttodeployRedisclusters.Atthetimeofthiswriting,theservicesupportsthedeploymentofRedisversion2.8.24,andalsoanumberofolderversions.BeyondtheobjectsupportprovidedinMemcached,Redissupportsarichsetofdatatypeslikesstrings,lists,andsets.

UnlikeMemcached,Redissupportstheabilitytopersistthein-memorydataontodisk.Thisallowsyoutocreatesnapshotsthatbackupyourdataandthenrecoverorreplicatefromthebackups.Redisclustersalsocansupportuptofivereadreplicastooffloadreadrequests.Intheeventoffailureoftheprimarynode,areadreplicacanbepromotedandbecomethenewmasterusingMulti-AZreplicationgroups.

Redisalsohasadvancedfeaturesthatmakeiteasytosortandrankdata.Somecommonusecasesincludebuildingaleaderboardforamobileapplicationorservingasahigh-speedmessagebrokerinadistributedsystem.WithaRediscluster,youcanleverageapublishandsubscribemessagingabstractionthatallowsyoutodecouplethecomponentsofyourapplications.Apublishandsubscribemessagingarchitecturegivesyoutheflexibilitytochangehowyouconsumethemessagesinthefuturewithoutaffectingthecomponentthatisproducingthemessagesinthefirstplace.

NodesandClustersEachdeploymentofAmazonElastiCacheconsistsofoneormorenodesinacluster.Therearemanydifferenttypesofnodesavailabletochoosefrombasedonyourusecaseandthenecessaryresources.AsingleMemcachedclustercancontainupto20nodes.Redisclustersarealwaysmadeupofasinglenode;however,multipleclusterscanbegroupedintoaRedisreplicationgroup.

TheindividualnodetypesarederivedfromasubsetoftheAmazonEC2instancetypefamilies,liket2,m3,andr3.Thespecificnodetypesmaychangeovertime,buttodaythey

rangefromat2.micronodetypewith555MBofmemoryuptoanr3.8xlargewith237GBofmemory,withmanychoicesinbetween.Thet2cachenodefamilyisidealfordevelopmentandlow-volumeapplicationswithoccasionalbursts,butcertainfeaturesmaynotbeavailable.Them3familyisagoodblendofcomputeandmemory,whilether3familyisoptimizedformemory-intensiveworkloads.

Dependingonyourneeds,youmaychoosetohaveafewlargenodesormanysmallernodesinyourclusterorreplicationgroup.Asdemandforyourapplicationchanges,youmayalsoaddorremovenodesfromtimetotime.Eachnodetypecomeswithapreconfiguredamountofmemory,withasmallamountofthememoryallocatedtothecachingengineandoperatingsystemitself.

DesignforFailure

Whileitisunlikely,youshouldplanforthepotentialfailureofanindividualcachenode.ForMemcachedclusters,youcandecreasetheimpactofthefailureofacachenodebyusingalargernumberofnodeswithasmallercapacity,insteadofafewlargenodes.

IntheeventthatAmazonElastiCachedetectsthefailureofanode,itwillprovisionareplacementandadditbacktothecluster.Duringthistime,yourdatabasewillexperienceincreasedload,becauseanyrequeststhatwouldhavebeencachedwillnowneedtobereadfromthedatabase.ForRedisclusters,AmazonElastiCachewilldetectfailureandreplacetheprimarynode.IfaMulti-AZreplicationgroupisenabled,areadreplicacanbeautomaticallypromotedtoprimary.

MemcachedAutoDiscoveryForMemcachedclusterspartitionedacrossmultiplenodes,AmazonElastiCachesupportsAutoDiscoverywiththeprovidedclientlibrary.AutoDiscoverysimplifiesyourapplicationcodebynolongerneedingawarenessoftheinfrastructuretopologyofthecacheclusterinyourapplicationlayer.

UsingAutoDiscovery

TheAutoDiscoveryclientgivesyourapplicationstheabilitytoidentifyautomaticallyallofthenodesinacacheclusterandtoinitiateandmaintainconnectionstoallofthesenodes.TheAutoDiscoveryclientisavailablefor.NET,Java,andPHPplatforms.

ScalingAmazonElastiCacheallowsyoutoadjustthesizeofyourenvironmenttomeettheneedsofworkloadsastheyevolveovertime.Addingadditionalcachenodesallowsyoutoeasilyexpandhorizontallyandmeethigherlevelsofreadorwriteperformance.Youcanalsoselectdifferentclassesofcachenodestoscalevertically.

HorizontalScalingAmazonElastiCachealsoaddsadditionalfunctionalitythatallowsyoutoscalehorizontallythesizeofyourcacheenvironment.Thisfunctionalitydiffersdepending

onthecacheengineyouhaveselected.WithMemcached,youcanpartitionyourdataandscalehorizontallyto20nodesormore.WithAutoDiscovery,yourapplicationcandiscoverMemcachednodesthatareaddedorremovedfromacluster.

ARedisclusterconsistsofasinglecachenodethatishandlingreadandwritetransactions.AdditionalclusterscanbecreatedandgroupedintoaRedisreplicationgroup.Whileyoucanonlyhaveonenodehandlingwritecommands,youcanhaveuptofivereadreplicashandlingread-onlyrequests.

VerticalScalingSupportforverticalscalingismorelimitedwithAmazonElastiCache.Ifyouliketochangethecachenodetypeandscalethecomputeresourcesvertically,theservicedoesnotdirectlyallowyoutoresizeyourclusterinthismanner.Youcan,however,quicklyspinupanewclusterwiththedesiredcachenodetypesandstartredirectingtraffictothenewcluster.It’simportanttounderstandthatanewMemcachedclusteralwaysstartsempty,whileaRedisclustercanbeinitializedfromabackup.

ReplicationandMulti-AZReplicationisausefultechniquetoproviderapidrecoveryintheeventofanodefailure,andalsotoserveupveryhighvolumesofreadqueriesbeyondthecapabilitiesofasinglenode.AmazonElastiCacheclustersrunningRedissupportbothofthesedesignrequirements.UnlikeRedis,cacheclustersrunningMemcachedarestandalonein-memoryserviceswithoutanyredundantdataprotectionservices.

CacheclustersrunningRedissupporttheconceptofreplicationgroups.Areplicationgroupconsistsofuptosixclusters,withfiveofthemdesignatedasreadreplicas.Thisallowsyoutoscalehorizontallybywritingcodeinyourapplicationtooffloadreadstooneofthefiveclones(seeFigure10.2).

FIGURE10.2Redisreplicationgroup

Multi-AZReplicationGroupsYoucanalsocreateaMulti-AZreplicationgroupthatallowsyoutoincreaseavailabilityandminimizethelossofdata.Multi-AZsimplifiestheprocessofdealingwithafailurebyautomatingthereplacementandfailoverfromtheprimarynode.

Intheeventtheprimarynodefailsorcan’tbereached,Multi-AZwillselectandpromoteareadreplicatobecomethenewprimary,andanewnodewillbeprovisionedtoreplacethefailedone.AmazonElastiCachewillthenupdatetheDomainNameSystem(DNS)entryofthenewprimarynodetoallowyourapplicationtocontinueprocessingwithoutanyconfigurationchangeandwithonlyashortdisruption.

UnderstandThatReplicationIsAsynchronous

It’simportanttokeepinmindthatreplicationbetweentheclustersisperformedasynchronouslyandtherewillbeasmalldelaybeforedataisavailableonallclusternodes.

BackupandRecoveryAmazonElastiCacheclustersrunningRedisallowyoutopersistyourdatafromin-memoryto

diskandcreateasnapshot.Eachsnapshotisafullcloneofthedatathatcanbeusedtorecovertoaspecificpointintimeortocreateacopyforotherpurposes.SnapshotscannotbecreatedforclustersusingtheMemcachedenginebecauseitisapurelyin-memorykey/valuestoreandalwaysstartsempty.AmazonElastiCacheusesthenativebackupcapabilitiesofRedisandwillgenerateastandardRedisdatabasebackupfilethatgetsstoredinAmazonSimpleStorageService(AmazonS3).

Snapshotsrequirecomputeandmemoryresourcestoperformandcanpotentiallyhaveaperformanceimpactonheavilyusedclusters.AmazonElastiCachewilltrydifferentbackuptechniquesdependingontheamountofmemorycurrentlyavailable.Abestpracticeistosetupareplicationgroupandperformasnapshotagainstoneofthereadreplicasinsteadoftheprimarynode.

Inadditiontomanuallyinitiatedsnapshots,snapshotscanbecreatedautomaticallybasedonaschedule.Youcanalsoconfigureawindowforthesnapshotoperationtobecompletedandspecifyhowmanydaysofbackupsyouwanttostore.Manualsnapshotsarestoredindefinitelyuntilyoudeletethem.

BackupRedisClusters

UseacombinationofautomaticandmanualsnapshotstomeetyourrecoveryobjectivesforyourRediscluster.Memcachedispurelyin-memoryanddoesnothavenativebackupcapabilities.

Whetherthesnapshotwascreatedautomaticallyormanually,thesnapshotcanthenbeusedtocreateanewclusteratanytime.Bydefault,thenewclusterwillhavethesameconfigurationasthesourcecluster,butyoucanoverridethesesettings.YoucanalsorestorefromanRDBfilegeneratedfromanyothercompatibleRediscluster.

AccessControlAccesstoyourAmazonElastiCacheclusteriscontrolledprimarilybyrestrictinginboundnetworkaccesstoyourcluster.Inboundnetworktrafficisrestrictedthroughtheuseofsecuritygroups.Eachsecuritygroupdefinesoneormoreinboundrulesthatrestrictthesourcetraffic.WhendeployedinsideofaVirtualPrivateCloud(VPC),eachnodewillbeissuedaprivateIPaddresswithinoneormoresubnetsthatyouselect.IndividualnodescanneverbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheVPC.YoucanfurtherrestrictnetworkingressatthesubnetlevelbymodifyingthenetworkAccessControlLists(ACLs).

AccesstomanagetheconfigurationandinfrastructureoftheclusteriscontrolledseparatelyfromaccesstotheactualMemcachedorRedisserviceendpoint.UsingtheAWSIdentityandAccessManagement(IAM)service,youcandefinepoliciesthatcontrolwhichAWSuserscanmanagetheAmazonElastiCacheinfrastructureitself.

SomeofthekeyactionsanadministratorcanperformincludeCreateCacheCluster,ModifyCacheCluster,orDeleteCacheCluster.RedisclustersalsosupportCreateReplicationGroupandCreateSnapshotactions,amongothers.

SummaryInthischapter,youlearnedaboutcachingenvironmentswithinthecloudusingAmazonElastiCache.YoucanquicklylaunchclustersrunningMemcachedorRedistostorefrequentlyuseddatain-memory.Cachingcanspeeduptheresponsetimeofyourapplications,reduceloadonyourback-enddatastores,andimprovetheuserexperience.

WithAmazonElastiCache,youcanoffloadtheadministrativetasksforprovisioningandoperatingclustersandfocusontheapplication.Eachcacheclustercontainsoneormorenodes.Selectfromarangeofnodetypestogivetherightmixofcomputeandmemoryresourcesforyourusecase.

YoucanexpandbothMemcachedandRedisclustersverticallybyselectingalargerorsmallernodetypetomatchyourneeds.WithAmazonElastiCacheandtheMemcachedengine,youcanalsoscaleyourclusterhorizontallybyaddingorremovingnodes.WithAmazonElastiCacheandtheRedisengine,youcanalsoscalehorizontallybycreatingareplicationgroupthatwillautomaticallyreplicateacrossmultiplereadreplicas.

StreamlineyourbackupandrecoveryprocessforRedisclusterswithAmazonElastiCache’sconsistentoperationalmodel.WhileMemcachedclustersarein-memoryonlyandcannotbepersisted,Redisclusterssupportbothautomatedandmanualsnapshots.Asnapshotcanthenberestoredtorecoverfromafailureortocloneanenvironment.

YoucansecureyourcacheenvironmentsatthenetworklevelwithsecuritygroupsandnetworkACLs,andattheinfrastructurelevelusingIAMpolicies.Securitygroupswillserveasyourprimaryaccesscontrolmechanismtorestrictinboundaccessforactiveclusters.

Youshouldanalyzeyourdatausagepatternsandidentifyfrequentlyrunqueriesorotherexpensiveoperationsthatcouldbecandidatesforcaching.Youcanrelievepressurefromyourdatabasebyoffloadingreadrequeststothecachetier.Dataelementsthatareaccessedoneverypageload,orwitheveryrequestbutdonotchange,areoftenprimecandidatesforcaching.Evendatathatchangesfrequentlycanoftenbenefitfrombeingcachedwithverylargerequestvolumes.

ExamEssentialsKnowhowtouseAmazonElastiCache.ImprovetheperformanceofyourapplicationbydeployingAmazonElastiCacheclustersaspartofyourapplicationandoffloadingreadrequestsforfrequentlyaccesseddata.Usethecache-asidepatterninyourapplicationfirsttocheckthecacheforyourqueryresultsbeforecheckingthedatabase.

Understandwhentouseaspecificcacheengine.AmazonElastiCachegivesyouthechoiceofcacheenginetosuityourrequirements.UseMemcachedwhenyouneedasimple,in-memoryobjectstorethatcanbeeasilypartitionedandscaledhorizontally.UseRediswhenyouneedtobackupandrestoreyourdata,needmanyclonesorreadreplicas,orarelookingforadvancedfunctionalitylikesortandrankorleaderboardsthatRedisnativelysupports.

UnderstandhowtoscaleaRedisclusterhorizontally.AnAmazonElastiCacheclusterrunningRediscanbescaledhorizontallyfirstbycreatingareplicationgroup,thenbycreatingadditionalclustersandaddingthemtothereplicationgroup.

UnderstandhowtoscaleaMemcachedclusterhorizontally.AnAmazonElastiCacheclusterrunningMemcachedcanbescaledhorizontallybyaddingorremovingadditionalcachenodestothecluster.TheAmazonElastiCacheclientlibrarysupportsAutoDiscoveryandcandiscovernewnodesaddedorremovedfromtheclusterwithouthavingtohardcodethelistofnodes.

KnowhowtobackupyourAmazonElastiCachecluster.YoucancreateasnapshottobackupyourAmazonElastiCacheclustersrunningtheRedisengine.Snapshotscanbecreatedautomaticallyonadailybasisormanuallyondemand.AmazonElastiCacheclustersrunningMemcacheddonotsupportbackupandrestorenatively.

ExercisesInthissection,youwillcreateacacheclusterusingAmazonElastiCache,expandtheclusterwithadditionalnodes,andfinallycreateareplicationgroupwithanAmazonElastiCacheRediscluster.

EXERCISE10.1

CreateanAmazonElastiCacheClusterRunningMemcachedInthisexercise,youwillcreateanAmazonElastiCacheclusterusingtheMemcachedengine.

1. WhilesignedintotheAWSManagementConsole,opentheAmazonElastiCacheservicedashboard.

2. BeginthelaunchandconfigurationprocesstocreateanewAmazonElastiCachecluster.

3. SelecttheMemcachedcacheengine,andconfiguretheclustername,numberofnodes,andnodetype.

4. Optionallyconfigurethesecuritygroupandmaintenancewindowasneeded.

5. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.

6. ConnecttotheclusterwithanyMemcachedclientusingtheDNSnameofthecluster.

YouhavenowcreatedyourfirstAmazonElastiCachecluster.

EXERCISE10.2

ExpandtheSizeofaMemcachedClusterInthisexercise,youwillexpandthesizeofanexistingAmazonElastiCacheMemcachedcluster.

1. LaunchaMemcachedclusterusingthestepsdefinedinExercise10.1.

2. GototheAmazonElastiCachedashboard,andviewthedetailsofyourexistingcluster.

3. Viewthelistofnodescurrentlyprovisioned,andthenaddoneadditionalnodebyincreasingthenumberofnodes.

4. Applytheconfigurationchange,andwaitforthenewnodetofinishtheprovisioningprocess.

5. Verifythatthenewnodehasbeencreated,andconnecttothenodeusingaMemcachedclient.

Inthisexercise,youhavehorizontallyscaledanexistingAmazonElastiCacheclusterbyaddingacachenode.

EXERCISE10.3

CreateanAmazonElastiCacheClusterandRedisReplicationGroupInthisexercise,youwillcreateanAmazonElastiCacheclusterusingRedisnodes,createareplicationgroup,andsetupareadreplica.

1. SignintotheAWSManagementConsole,andnavigatetotheAmazonElastiCacheservicedashboard.

2. BegintheconfigurationandlaunchprocessforanewAmazonElastiCachecluster.

3. SelecttheRediscacheengine,andthenconfigureareplicationgroupandthenodetype.

4. Configureareadreplicabysettingthenumberofreadreplicasto1,andverifythatEnableReplicationandMulti-AZareselected.

5. AdjusttheAvailabilityZonesfortheprimaryandreadreplicaclusters,securitygroups,andmaintenancewindow,asneeded.

6. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.

7. ConnecttotheprimarynodeandthereadreplicanodewithaRedisclientlibrary.Performasimplesetoperationontheprimarynode,andthenperformagetoperationwiththesamekeyonthereplica.

YouhavenowcreatedanAmazonElastiCacheclusterusingtheRedisengineandconfiguredareadreplica.

ReviewQuestions1. Whichofthefollowingobjectsaregoodcandidatestostoreinacache?(Choose3answers)

A. Sessionstate

B. Shoppingcart

C. Productcatalog

D. Bankaccountbalance

2. WhichofthefollowingcacheenginesaresupportedbyAmazonElastiCache?(Choose2answers)

A. MySQL

B. Memcached

C. Redis

D. Couchbase

3. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningMemcached?

A. 1

B. 5

C. 20

D. 100

4. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningRedis?

A. 1

B. 5

C. 20

D. 100

5. AnapplicationcurrentlyusesMemcachedtocachefrequentlyuseddatabasequeries.WhichstepsarerequiredtomigratetheapplicationtouseAmazonElastiCachewithminimalchanges?(Choose2answers)

A. RecompiletheapplicationtousetheAmazonElastiCachelibraries.

B. UpdatetheconfigurationfilewiththeendpointfortheAmazonElastiCachecluster.

C. Configureasecuritygrouptoallowaccessfromtheapplicationservers.

D. ConnecttotheAmazonElastiCachenodesusingSecureShell(SSH)andinstallthelatestversionofMemcached.

6. HowcanyoubackupdatastoredinAmazonElastiCacherunningRedis?(Choose2answers)

A. CreateanimageoftheAmazonElasticComputeCloud(AmazonEC2)instance.

B. Configureautomaticsnapshotstobackupthecacheenvironmenteverynight.

C. Createasnapshotmanually.

D. Redisclusterscannotbebackedup.

7. HowcanyousecureanAmazonElastiCachecluster?(Choose3answers)

A. ChangetheMemcachedrootpassword.

B. RestrictApplicationProgrammingInterface(API)actionsusingAWSIdentityandAccessManagement(IAM)policies.

C. Restrictnetworkaccessusingsecuritygroups.

D. RestrictnetworkaccessusinganetworkAccessControlList(ACL).

8. Youareworkingonamobilegamingapplicationandarebuildingtheleaderboardfeaturetotrackthetopscoresacrossmillionsofusers.WhichAWSservicesarebestsuitedforthisusecase?

A. AmazonRedshift

B. AmazonElastiCacheusingMemcached

C. AmazonElastiCacheusingRedis

D. AmazonSimpleStorageService(S3)

9. YouhavebuiltalargewebapplicationthatusesAmazonElastiCacheusingMemcachedtostorefrequentqueryresults.Youplantoexpandboththewebfleetandthecachefleetmultipletimesoverthenextyeartoaccommodateincreasedusertraffic.Howdoyouminimizetheamountofchangesrequiredwhenascalingeventoccurs?

A. ConfigureAutoDiscoveryontheclientside

B. ConfigureAutoDiscoveryontheserverside

C. Updatetheconfigurationfileeachtimeanewcluster

D. UseanElasticLoadBalancertoproxytherequests

10. WhichcacheenginesdoesAmazonElastiCachesupport?(Choose2answers)

A. Memcached

B. Redis

C. Membase

D. Couchbase

Chapter11AdditionalKeyServicesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMTOPICSOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems




Planninganddesign



2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.







AWSplatformcompliance

AWSsecurityattributes(customerworkloadsdowntophysicallayer)


AWSCloudTrail

Ingressvs.egressfilteringandwhichAWScloudservicesandfeaturesfit


AWSTrustedAdvisor

3.2Recognizecriticaldisasterrecoverytechniquesandtheir

implementation.


AWSImport/Export

AWSStorageGateway

IntroductionBecauseSolutionsArchitectsareofteninvolvedinsolutionsacrossawidevarietyofbusinessverticalsandusecases,itisimportanttounderstandthebasicsofallAWScloudserviceofferings.ThischapterfocusesonadditionalkeyAWSservicesthatyoushouldknowatahighleveltobesuccessfulontheexam.Theseservicesaregroupedintofourcategories:StorageandContentDelivery,Security,Analytics,andDevOps.

Beforearchitectinganysystem,foundationalpracticesthatinfluencesecurityshouldbeinplace;forexample,providingdirectoriesthatcontainorganizationalinformationorhowencryptionprotectsdatabywayofrenderingitunintelligibletounauthorizedaccess.AsaSolutionsArchitect,understandingtheAWScloudservicesavailabletosupportanorganization’sdirectoriesandencryptionareimportantbecausetheysupportobjectivessuchasidentitymanagementorcomplyingwithregulatoryobligations.

Architectinganalyticalsolutionsiscriticalbecausetheamountofdatathatcompaniesneedtounderstandcontinuestogrowtorecordsizes.AWSprovidesanalyticservicesthatcanscaletoverylargedatastoresefficientlyandcost-effectively.UnderstandingtheseservicesallowsSolutionsArchitectstobuildvirtuallyanybigdataapplicationandsupportanyworkloadregardlessofvolume,velocity,andvarietyofdata.

DevOpsbecomesanimportantconceptasthepaceofinnovationacceleratesandcustomerneedsrapidlyevolve,forcingbusinessestobecomeincreasinglyagile.Timetomarketiskey,andtofacilitateoverallbusinessgoals,ITdepartmentsneedtobeagile.UnderstandingtheDevOpsoptionsthatareavailableonAWSwillhelpSolutionsArchitectsmeetthedemandsofagilebusinessesthatneedIToperationstodeployapplicationsinaconsistent,repeatable,andreliablemanner.

Understandingtheseadditionalserviceswillnotonlyhelpinyourexampreparation,butitwillalsohelpyouestablishafoundationforgrowingasaSolutionsArchitectontheAWSplatform.

StorageandContentDeliveryThissectioncoverstwoadditionalstorageandcontentdeliveryservicesthatareimportantforaSolutionsArchitecttounderstand:AmazonCloudFrontandAWSStorageGateway.

AmazonCloudFrontAmazonCloudFrontisaglobalContentDeliveryNetwork(CDN)service.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.

OverviewAContentDeliveryNetwork(CDN)isagloballydistributednetworkofcachingserversthatspeedupthedownloadingofwebpagesandothercontent.CDNsuseDomainNameSystem(DNS)geo-locationtodeterminethegeographiclocationofeachrequestforawebpageorothercontent,thentheyservethatcontentfromedgecachingserversclosesttothatlocationinsteadoftheoriginalwebserver.ACDNallowsyoutoincreasethescalabilityofawebsiteormobileapplicationeasilyinresponsetopeaktrafficspikes.Inmostcases,usingaCDNiscompletelytransparent—enduserssimplyexperiencebetterwebsiteperformance,whiletheloadonyouroriginalwebsiteisreduced.

AmazonCloudFrontisAWSCDN.ItcanbeusedtodeliveryourwebcontentusingAmazon’sglobalnetworkofedgelocations.Whenauserrequestscontentthatyou’reservingwithAmazonCloudFront,theuserisroutedtotheedgelocationthatprovidesthelowestlatency(timedelay),socontentisdeliveredwiththebestpossibleperformance.Ifthecontentisalreadyintheedgelocationwiththelowestlatency,AmazonCloudFrontdeliversitimmediately.Ifthecontentisnotcurrentlyinthatedgelocation,AmazonCloudFrontretrievesitfromtheoriginserver,suchasanAmazonSimpleStorageService(AmazonS3)bucketorawebserver,whichstorestheoriginal,definitiveversionsofyourfiles.

AmazonCloudFrontisoptimizedtoworkwithotherAWScloudservicesastheoriginserver,includingAmazonS3buckets,AmazonS3staticwebsites,AmazonElasticComputeCloud(AmazonEC2),andElasticLoadBalancing.AmazonCloudFrontalsoworksseamlesslywithanynon-AWSoriginserver,suchasanexistingon-premiseswebserver.AmazonCloudFrontalsointegrateswithAmazonRoute53.

AmazonCloudFrontsupportsallcontentthatcanbeservedoverHTTPorHTTPS.Thisincludesanypopularstaticfilesthatareapartofyourwebapplication,suchasHTMLfiles,images,JavaScript,andCSSfiles,andalsoaudio,video,mediafiles,orsoftwaredownloads.AmazonCloudFrontalsosupportsservingdynamicwebpages,soitcanactuallybeusedtodeliveryourentirewebsite.Finally,AmazonCloudFrontsupportsmediastreaming,usingbothHTTPandRTMP.

AmazonCloudFrontBasicsTherearethreecoreconceptsthatyouneedtounderstandinordertostartusingCloudFront:distributions,origins,andcachecontrol.Withtheseconcepts,youcaneasilyuseCloudFronttospeedupdeliveryofstaticcontentfromyourwebsites.

DistributionsTouseAmazonCloudFront,youstartbycreatingadistribution,whichisidentifiedbyaDNSdomainnamesuchasd111111abcdef8.cloudfront.net.ToservefilesfromAmazonCloudFront,yousimplyusethedistributiondomainnameinplaceofyourwebsite’sdomainname;therestofthefilepathsstayunchanged.YoucanusetheAmazonCloudFrontdistributiondomainnameas-is,oryoucancreateauser-friendlyDNSnameinyourowndomainbycreatingaCNAMErecordinAmazonRoute53oranotherDNSservice.TheCNAMEisautomaticallyredirectedtoyourAmazonCloudFrontdistributiondomainname.

OriginsWhenyoucreateadistribution,youmustspecifytheDNSdomainnameoftheorigin—theAmazonS3bucketorHTTPserver—fromwhichyouwantAmazonCloudFronttogetthedefinitiveversionofyourobjects(webfiles).Forexample:

AmazonS3bucket:myawsbucket.s3.amazonaws.com

AmazonEC2instance:ec2–203–0–113–25.compute-1.amazonaws.com

ElasticLoadBalancingloadbalancer:my-load-balancer-1234567890.us-west-2.elb.amazonaws.com

WebsiteURL:mywebserver.mycompanydomain.com

CacheControlOncerequestedandservedfromanedgelocation,objectsstayinthecacheuntiltheyexpireorareevictedtomakeroomformorefrequentlyrequestedcontent.Bydefault,objectsexpirefromthecacheafter24hours.Onceanobjectexpires,thenextrequestresultsinAmazonCloudFrontforwardingtherequesttotheorigintoverifythattheobjectisunchangedortofetchanewversionifithaschanged.

Optionally,youcancontrolhowlongobjectsstayinanAmazonCloudFrontcachebeforeexpiring.Todothis,youcanchoosetouseCache-Controlheaderssetbyyouroriginserveroryoucansettheminimum,maximum,anddefaultTimetoLive(TTL)forobjectsinyourAmazonCloudFrontdistribution.

YoucanalsoremovecopiesofanobjectfromallAmazonCloudFrontedgelocationsatanytimebycallingtheinvalidationApplicationProgramInterface(API).ThisfeatureremovestheobjectfromeveryAmazonCloudFrontedgelocationregardlessoftheexpirationperiodyousetforthatobjectonyouroriginserver.Theinvalidationfeatureisdesignedtobeusedinunexpectedcircumstances,suchastocorrectanerrorortomakeanunanticipatedupdatetoawebsite,notaspartofyoureverydayworkflow.

Insteadofinvalidatingobjectsmanuallyorprogrammatically,itisabestpracticetouseaversionidentifieraspartoftheobject(file)pathname.Forexample:

Oldfile:assets/v1/css/narrow.css

Newfile:assets/v2/css/narrow.css

Whenusingversioning,usersalwaysseethelatestcontentthroughAmazonCloudFrontwhenyouupdateyoursitewithoutusinginvalidation.Oldversionswillexpirefromthecacheautomatically.

AmazonCloudFrontAdvancedFeaturesCloudFrontcandomuchmorethansimplyservestaticwebfiles.TostartusingCloudFront’sadvancedfeatures,youwillneedtounderstandhowtousecachebehaviors,andhowto

restrictaccesstosensitivecontent.

DynamicContent,MultipleOrigins,andCacheBehaviorsServingstaticassets,suchasdescribedpreviously,isacommonwaytouseaCDN.AnAmazonCloudFrontdistribution,however,caneasilybesetuptoservedynamiccontentinadditiontostaticcontentandtousemorethanoneoriginserver.Youcontrolwhichrequestsareservedbywhichoriginandhowrequestsarecachedusingafeaturecalledcachebehaviors.

AcachebehaviorletsyouconfigureavarietyofAmazonCloudFrontfunctionalitiesforagivenURLpathpatternforfilesonyourwebsite.ForexampleseeFigure11.1.OnecachebehaviorappliestoallPHPfilesinawebserver(dynamiccontent),usingthepathpattern*.php,whileanotherbehaviorappliestoallJPEGimagesinanotheroriginserver(staticcontent),usingthepathpattern*.jpg.

FIGURE11.1Deliveringstaticanddynamiccontent

Thefunctionalityyoucanconfigureforeachcachebehaviorincludesthefollowing:

Thepathpattern

Whichorigintoforwardyourrequeststo

Whethertoforwardquerystringstoyourorigin

WhetheraccessingthespecifiedfilesrequiressignedURLs

WhethertorequireHTTPSaccess

TheamountoftimethatthosefilesstayintheAmazonCloudFrontcache(regardlessofthevalueofanyCache-Controlheadersthatyouroriginaddstothefiles)

Cachebehaviorsareappliedinorder;ifarequestdoesnotmatchthefirstpathpattern,itdropsdowntothenextpathpattern.Normallythelastpathpatternspecifiedis*tomatchallfiles.

WholeWebsiteUsingcachebehaviorsandmultipleorigins,youcaneasilyuseAmazonCloudFronttoserveyourwholewebsiteandtosupportdifferentbehaviorsfordifferentclientdevices.

PrivateContentInmanycases,youmaywanttorestrictaccesstocontentinAmazonCloudFronttoonlyselectedrequestors,suchaspaidsubscribersortoapplicationsorusersinyourcompanynetwork.AmazonCloudFrontprovidesseveralmechanismstoallowyoutoserveprivatecontent.Theseinclude:

SignedURLsUseURLsthatarevalidonlybetweencertaintimesandoptionallyfromcertainIPaddresses.

SignedCookiesRequireauthenticationviapublicandprivatekeypairs.

OriginAccessIdentities(OAI)RestrictaccesstoanAmazonS3bucketonlytoaspecialAmazonCloudFrontuserassociatedwithyourdistribution.ThisistheeasiestwaytoensurethatcontentinabucketisonlyaccessedbyAmazonCloudFront.

UseCasesThereareseveralusecaseswhereAmazonCloudFrontisanexcellentchoice,including,butnotlimitedto:

ServingtheStaticAssetsofPopularWebsitesStaticassetssuchasimages,CSS,andJavaScripttraditionallymakeupthebulkofrequeststotypicalwebsites.UsingAmazonCloudFrontwillspeeduptheuserexperienceandreduceloadonthewebsiteitself.

ServingaWholeWebsiteorWebApplicationAmazonCloudFrontcanserveawholewebsitecontainingbothdynamicandstaticcontentbyusingmultipleorigins,cachebehaviors,andshortTTLsfordynamiccontent.

ServingContenttoUsersWhoAreWidelyDistributedGeographicallyAmazonCloudFrontwillimprovesiteperformance,especiallyfordistantusers,andreducetheloadonyouroriginserver.

DistributingSoftwareorOtherLargeFilesAmazonCloudFrontwillhelpspeedupthedownloadofthesefilestoendusers.

ServingStreamingMediaAmazonCloudFronthelpsservestreamingmedia,suchasaudioandvideo.

TherearealsousecaseswhereCloudFrontisnotappropriate,including:

AllorMostRequestsComeFromaSingleLocationIfallormostofyourrequestscomefromasinglegeographiclocation,suchasalargecorporatecampus,youwillnottakeadvantageofmultipleedgelocations.

AllorMostRequestsComeThroughaCorporateVPNSimilarly,ifyourusersconnectviaacorporateVirtualPrivateNetwork(VPN),eveniftheyaredistributed,userrequestsappeartoCloudFronttooriginatefromoneorafewlocations.TheseusecaseswillgenerallynotseebenefitfromusingAmazonCloudFront.

AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-

basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutostoredatasecurelyontheAWScloudinascalableandcost-effectivemanner.AWSStorageGatewaysupportsindustry-standardstorageprotocolsthatworkwithyourexistingapplications.Itprovideslow-latencyperformancebycachingfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.

OverviewAWSStorageGateway’ssoftwareapplianceisavailablefordownloadasaVirtualMachine(VM)imagethatyouinstallonahostinyourdatacenterandthenregisterwithyourAWSaccountthroughtheAWSManagementConsole.ThestorageassociatedwiththeapplianceisexposedasaniSCSIdevicethatcanbemountedbyyouron-premisesapplications.

TherearethreeconfigurationsforAWSStorageGateway:Gateway-Cachedvolumes,Gateway-Storedvolumes,andGateway-VirtualTapeLibraries(VTL).

Gateway-CachedVolumesGateway-CachedvolumesallowyoutoexpandyourlocalstoragecapacityintoAmazonS3.AlldatastoredonaGateway-CachedvolumeismovedtoAmazonS3,whilerecentlyreaddataisretainedinlocalstoragetoprovidelow-latencyaccess.Whileeachvolumeislimitedtoamaximumsizeof32TB,asinglegatewaycansupportupto32volumesforamaximumstorageof1PB.

Point-in-timesnapshotscanbetakentobackupyourAWSStorageGateway.Thesesnapshotsareperformedincrementally,andonlythedatathathaschangedsincethelastsnapshotisstored.

AllGateway-CachedvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSecureSocketsLayer(SSL)connections.ItisencryptedatrestinAmazonS3usingServer-SideEncryption(SSE).However,youcannotdirectlyaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console;insteadyoumustaccessitthroughtheAWSStorageGatewayservice.

Gateway-StoredVolumesGateway-Storedvolumesallowyoutostoreyourdataonyouron-premisesstorageandasynchronouslybackupthatdatatoAmazonS3.Thisprovideslow-latencyaccesstoalldata,whilealsoprovidingoff-sitebackupstakingadvantageofthedurabilityofAmazonS3.ThedataisbackedupintheformofAmazonElasticBlockStore(AmazonEBS)snapshots.Whileeachvolumeislimitedtoamaximumsizeof16TB,asinglegatewaycansupportupto32volumesforamaximumstorageof512TB.

SimilartoGateway-Cachedvolumes,youcantakesnapshotsofyourGateway-Storedvolumes.ThegatewaystoresthesesnapshotsinAmazonS3asAmazonEBSsnapshots.Whenyoutakeanewsnapshot,onlythedatathathaschangedsinceyourlastsnapshotisstored.Youcaninitiatesnapshotsonascheduledorone-timebasis.BecausethesesnapshotsarestoredasAmazonEBSsnapshots,youcancreateanewAmazonEBSvolumefromaGateway-Storedvolume.

AllGateway-StoredvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSSLconnections.ItisencryptedatrestinAmazonS3usingSSE.However,youcannotaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console.

Ifyouron-premisesapplianceorevenentiredatacenterbecomesunavailable,thedatainAWSStorageGatewaycanstillberetrieved.Ifit’sonlytheappliancethatisunavailable,anewappliancecanbelaunchedinthedatacenterandattachedtotheexistingAWSStorageGateway.AnewappliancecanalsobelaunchedinanotherdatacenterorevenonanAmazonEC2instanceonthecloud.

GatewayVirtualTapeLibraries(VTL)Gateway-VTLoffersadurable,cost-effectivesolutiontoarchiveyourdataontheAWScloud.TheVTLinterfaceletsyouleverageyourexistingtape-basedbackupapplicationinfrastructuretostoredataonvirtualtapecartridgesthatyoucreateonyourGateway-VTL.

Avirtualtapeisanalogoustoaphysicaltapecartridge,exceptthedataisstoredontheAWScloud.Tapesarecreatedblankthroughtheconsoleorprogrammaticallyandthenfilledwithbackedupdata.Agatewaycancontainupto1,500tapes(1PB)oftotaltapedata.Virtualtapesappearinyourgateway’sVTL,avirtualizedversionofaphysicaltapelibrary.Virtualtapesarediscoveredbyyourbackupapplicationusingitsstandardmediainventoryprocedure.

Whenyourtapesoftwareejectsatape,itisarchivedonaVirtualTapeShelf(VTS)andstoredinAmazonGlacier.You’reallowed1VTSperAWSregion,butmultiplegatewaysinthesameregioncanshareaVTS.

UseCasesThereareseveralusecaseswhereAWSStorageGatewayisanexcellentchoice,including,butnotlimitedto:

Gateway-CachedvolumesenableyoutoexpandlocalstoragehardwaretoAmazonS3,allowingyoutostoremuchmoredatawithoutdrasticallyincreasingyourstoragehardwareorchangingyourstorageprocesses.

Gateway-Storedvolumesprovideseamless,asynchronous,andsecurebackupofyouron-premisesstoragewithoutnewprocessesorhardware.

Gateway-VTLsenableyoutokeepyourcurrenttapebackupsoftwareandprocesseswhilestoringyourdatamorecost-effectivelyandsimplyonthecloud.

SecurityCloudsecurityatAWSisthehighestpriority.AWScustomersbenefitfromdatacentersandnetworkarchitecturesbuilttomeettherequirementsofthemostsecurity-sensitiveorganizations.

AnadvantageoftheAWScloudisthatitallowscustomerstoscaleandinnovatewhilemaintainingasecureenvironment.Cloudsecurityismuchlikesecurityinyouron-premisesdatacenters,onlywithoutthecostsofmaintainingfacilitiesandhardware.Inthecloud,youdon’thavetomanagephysicalserversorstoragedevices.Instead,youusesoftware-basedsecuritytoolstomonitorandprotecttheflowofinformationintoandofoutofyourcloudresources.

ThissectionwillfocusonfourAWSservicesthataredirectlyrelatedtothespecificsecuritypurposes:AWSDirectoryServiceforidentitymanagement,AWSKeyManagementService(KMS),AWSCloudHSMforkeymanagement,andAWSCloudTrailforauditing.

AWSDirectoryServiceAWSDirectoryServiceisamanagedserviceofferingthatprovidesdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.

OverviewYoucanchoosefromthreedirectorytypes:

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD

SimpleAD

ADConnector

Asamanagedoffering,AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.Thereisnoneedtobuildoutyourowncomplex,highly-availabledirectorytopologybecauseeachdirectoryisdeployedacrossmultipleAvailabilityZones,andmonitoringautomaticallydetectsandreplacesdomaincontrollersthatfail.Inaddition,datareplicationandautomateddailysnapshotsareconfiguredforyou.Thereisnosoftwaretoinstall,andAWShandlesallofthepatchingandsoftwareupdates.

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)isamanagedMicrosoftActiveDirectoryhostedontheAWScloud.ItprovidesmuchofthefunctionalityofferedbyMicrosoftActiveDirectoryplusintegrationwithAWSapplications.WiththeadditionalActiveDirectoryfunctionality,youcan,forexample,easilysetuptrustrelationshipswithyourexistingActiveDirectorydomainstoextendthosedirectoriestoAWScloudservices.

SimpleADSimpleADisaMicrosoftActiveDirectory-compatibledirectoryfromAWSDirectoryServicethatispoweredbySamba4.SimpleADsupportscommonlyusedActive

Directoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonEC2instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.ThismakesiteveneasiertomanageAmazonEC2instancesrunningLinuxandWindowsanddeployWindowsapplicationsontheAWScloud.

ManyoftheapplicationsandtoolsyouusetodaythatrequireMicrosoftActiveDirectorysupportcanbeusedwithSimpleAD.UseraccountsinSimpleADcanalsoaccessAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.TheycanalsouseAWSIAMrolestoaccesstheAWSManagementConsoleandmanageAWSresources.Finally,SimpleADprovidesdailyautomatedsnapshotstoenablepoint-in-timerecovery.

NotethatyoucannotsetuptrustrelationshipsbetweenSimpleADandotherActiveDirectorydomains.OtherfeaturesnotsupportedatthetimeofthiswritingbySimpleADincludeDNSdynamicupdate,schemaextensions,Multi-FactorAuthentication(MFA),communicationoverLightweightDirectoryAccessProtocol(LDAP),PowerShellADcmdlets,andthetransferofFlexibleSingle-MasterOperations(FSMO)roles.

ADConnectorADConnectorisaproxyserviceforconnectingyouron-premisesMicrosoftActiveDirectorytotheAWScloudwithoutrequiringcomplexdirectorysynchronizationorthecostandcomplexityofhostingafederationinfrastructure.

ADConnectorforwardssign-inrequeststoyourActiveDirectorydomaincontrollersforauthenticationandprovidestheabilityforapplicationstoquerythedirectoryfordata.Aftersetup,youruserscanusetheirexistingcorporatecredentialstologontoAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.WiththeproperIAMpermissions,theycanalsoaccesstheAWSManagementConsoleandmanageAWSresourcessuchasAmazonEC2instancesorAmazonS3buckets.YoucanalsouseADConnectortoenableMFAbyintegratingitwithyourexistingRemoteAuthenticationDial-UpService(RADIUS)-basedMFAinfrastructuretoprovideanadditionallayerofsecuritywhenusersaccessAWSapplications.

WithADConnector,youcontinuetomanageyourActiveDirectoryasusual.Forexample,addingnewusers,addingnewgroups,orupdatingpasswordsareallaccomplishedusingstandarddirectoryadministrationtoolswithyouron-premisesdirectory.Thus,inadditiontoprovidingastreamlinedexperienceforyourusers,ADConnectorenablesconsistentenforcementofyourexistingsecuritypolicies,suchaspasswordexpiration,passwordhistory,andaccountlockouts,whetherusersareaccessingresourceson-premisesorontheAWScloud.

UseCasesAWSDirectoryServiceprovidesmultiplewaystouseMicrosoftActiveDirectorywithotherAWScloudservices.Youcanchoosethedirectoryservicewiththefeaturesyouneedatacostthatfitsyourbudget.

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)ThisDirectoryServiceisyourbestchoiceifyouhavemorethan5,000usersandneedatrustrelationshipsetupbetweenanAWS-hosteddirectoryandyouron-premisesdirectories.

SimpleADInmostcases,SimpleADistheleastexpensiveoptionandyourbestchoiceif

youhave5,000orfewerusersanddon’tneedthemoreadvancedMicrosoftActiveDirectoryfeatures.

ADConnectorADConnectorisyourbestchoicewhenyouwanttouseyourexistingon-premisesdirectorywithAWScloudservices.

AWSKeyManagementService(KMS)andAWSCloudHSMKeymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.

OverviewAWSofferstwoservicesthatprovideyouwiththeabilitytomanageyourownsymmetricorasymmetriccryptographickeys:

AWSKMS:Aserviceenablingyoutogenerate,store,enable/disable,anddeletesymmetrickeys

AWSCloudHSM:AserviceprovidingyouwithsecurecryptographickeystoragebymakingHardwareSecurityModules(HSMs)availableontheAWScloud

AWSKeyManagementService(AWSKMS)AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.

ByusingAWSKMS,yougainmorecontroloveraccesstodatayouencrypt.YoucanusethekeymanagementandcryptographicfeaturesdirectlyinyourapplicationsorthroughAWScloudservicesthatareintegratedwithAWSKMS.WhetheryouarewritingapplicationsforAWSorusingAWScloudservices,AWSKMSenablesyoutomaintaincontroloverwhocanuseyourkeysandgainaccesstoyourencrypteddata.

CustomerManagedKeysAWSKMSusesatypeofkeycalledaCustomerMasterKey(CMK)toencryptanddecryptdata.CMKsarethefundamentalresourcesthatAWSKMSmanages.TheycanbeusedinsideofAWSKMStoencryptordecryptupto4KBofdatadirectly.Theycanalsobeusedtoencryptgenerateddatakeysthatarethenusedtoencryptordecryptlargeramountsofdataoutsideoftheservice.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscanleavetheserviceunencrypted.

DataKeysYouusedatakeystoencryptlargedataobjectswithinyourownapplicationoutsideAWSKMS.WhenyoucallGenerateDataKey,AWSKMSreturnsaplaintextversionofthekeyandciphertextthatcontainsthekeyencryptedunderthespecifiedCMK.AWSKMStrackswhichCMKwasusedtoencryptthedatakey.Youusetheplaintextdatakeyinyourapplicationtoencryptdata,andyoutypicallystoretheencryptedkeyalongsideyourencrypteddata.Securitybestpracticessuggestthatyoushouldremovetheplaintextkeyfrommemoryassoonasispracticalafteruse.Todecryptdatainyourapplication,passtheencrypteddatakeytotheDecryptfunction.AWSKMSusestheassociatedCMKtodecryptandretrieveyourplaintextdatakey.Usetheplaintextkeytodecryptyourdata,andthenremovethekeyfrommemory.

EnvelopeEncryptionAWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCMK,andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Thekeyshouldberemovedfrommemoryassoonasispracticalafteruse.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.

EncryptionContextAllAWSKMScryptographicoperationsacceptanoptionalkey/valuemapofadditionalcontextualinformationcalledanencryptioncontext.Thespecifiedcontextmustbethesameforboththeencryptanddecryptoperationsordecryptionwillnotsucceed.Theencryptioncontextislogged,canbeusedforadditionalauditing,andisavailableascontextintheAWSpolicylanguageforfine-grainedpolicy-basedauthorization.

AWSCloudHSMAWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.HSMsaredesignedtosecurelystorecryptographickeymaterialandusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.

TherecommendedconfigurationforusingAWSCloudHSMistousetwoHSMsconfiguredinahigh-availabilityconfiguration,asillustratedinFigure11.2.

FIGURE11.2HighavailabilityCloudHSMarchitecture

AWSCloudHSMallowsyoutoprotectyourencryptionkeyswithinHSMsthataredesignedandvalidatedtogovernmentstandardsforsecurekeymanagement.Youcansecurelygenerate,store,andmanagethecryptographickeysusedfordataencryptioninawaythatensuresthatonlyyouhaveaccesstothekeys.AWSCloudHSMhelpsyoucomplywithstrictkeymanagementrequirementswithintheAWScloudwithoutsacrificingapplicationperformance.

UseCasesTheAWSkeymanagementservicesaddressseveralsecurityneedsthatwouldrequireextensiveefforttodeployandmanageotherwise,including,butnotlimitedto:

ScalableSymmetricKeyDistributionSymmetricencryptionalgorithmsrequirethatthesamekeybeusedforbothencryptinganddecryptingthedata.Thisisproblematicbecausetransferringthekeyfromthesendertothereceivermustbedoneeitherthroughaknownsecurechannelorsome“outofband”process.

Government-ValidatedCryptographyCertaintypesofdata(forexample,PaymentCardIndustry—PCI—orhealthinformationrecords)mustbeprotectedwithcryptographythathasbeenvalidatedbyanoutsidepartyasconformingtothealgorithm(s)assertedbytheclaimingparty.

AWSCloudTrailAWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.

Overview

AWSCloudTrailcapturesAWSAPIcallsandrelatedeventsmadebyoronbehalfofanAWSaccountanddeliverslogfilestoanAmazonS3bucketthatyouspecify.Optionally,youcanconfigureAWSCloudTrailtodelivereventstoaloggroupmonitoredbyAmazonCloudWatchLogs.YoucanalsochoosetoreceiveAmazonSimpleNotificationService(AmazonSNS)notificationseachtimealogfileisdeliveredtoyourbucket.YoucancreateatrailwiththeAWSCloudTrailconsole,theAWSCommandLineInterface(CLI),ortheAWSCloudTrailAPI.AtrailisaconfigurationthatenablesloggingoftheAWSAPIactivityandrelatedeventsinyouraccount.

Youcancreatetwotypesoftrails:

ATrailThatAppliestoAllRegionsWhenyoucreateatrailthatappliestoallAWSregions,AWSCloudTrailcreatesthesametrailineachregion,recordsthelogfilesineachregion,anddeliversthelogfilestothesingleAmazonS3bucket(andoptionallytotheAmazonCloudWatchLogsloggroup)thatyouspecify.ThisisthedefaultoptionwhenyoucreateatrailusingtheAWSCloudTrailconsole.IfyouchoosetoreceiveAmazonSNSnotificationsforlogfiledeliveries,oneAmazonSNStopicwillsufficeforallregions.IfyouchoosetohaveAWSCloudTrailsendeventsfromatrailthatappliestoallregionstoanAmazonCloudWatchLogsloggroup,eventsfromallregionswillbesenttothesingleloggroup.

ATrailThatAppliestoOneRegionYouspecifyabucketthatreceiveseventsonlyfromthatregion.Thebucketcanbeinanyregionthatyouspecify.Ifyoucreateadditionalindividualtrailsthatapplytospecificregions,youcanhavethosetrailsdelivereventlogstoasingleAmazonS3bucket.

Bydefault,yourlogfilesareencryptedusingAmazonS3SSE.Youcanstoreyourlogfilesinyourbucketforaslongasyouwant,butyoucanalsodefineAmazonS3lifecyclerulestoarchiveordeletelogfilesautomatically.

AWSCloudTrailtypicallydeliverslogfileswithin15minutesofanAPIcall.Inaddition,theservicepublishesnewlogfilesmultipletimesanhour,usuallyabouteveryfiveminutes.TheselogfilescontainAPIcallsfromalloftheaccount’sservicesthatsupportAWSCloudTrail.

EnableAWSCloudTrailonallofyourAWSaccounts.Insteadofconfiguringatrailforoneregion,youshouldenabletrailsforallregions.

UseCasesAWSCloudTrailisbeneficialforseveralusecases:

ExternalComplianceAuditsYourbusinessmustdemonstratecompliancetoasetofregulationspertinenttosomeoralldatabeingtransmitted,processed,andstoredwithinyourAWSaccounts.EventsfromAWSCloudTrailcanbeusedtoshowthedegreetowhichyouarecompliantwiththeregulations.

UnauthorizedAccesstoYourAWSAccountAWSCloudTrailrecordsallsign-onattemptstoyourAWSaccount,includingAWSManagementConsoleloginattempts,AWS

SoftwareDevelopmentKit(SDK)APIcalls,andAWSCLIAPIcalls.RoutineexaminationofAWSCloudTraileventswillprovidetheneededinformationtodetermineifyourAWSaccountisbeingtargetedforunauthorizedaccess.

AnalyticsAnalytics,andtheassociatedbigdatathatitrequires,presentsauniquelistofchallengestoaSolutionsArchitect.Thebigdatamustbeingestedataveryhighrate,storedinveryhighvolume,andprocessedwithatremendousamountofcompute.Often,theneedtoperformanalyticsonthebigdataissporadic,withagreatdealofcomputeinfrastructureneededregularlyforverysmalltimeperiods.Thecloud,withitseasyaccesstocomputeandnearlylimitlessstoragecapacity,isideallysuitedtoaddresstheseanalyticschallenges.ThissectioncoversseveralAWScloudservicesthatwillhelpyouaddressanalyticsandbigdataissuesontheexam.

AmazonKinesisAmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.

OverviewAmazonKinesisisastreamingdataplatformconsistingofthreeservicesaddressingdifferentreal-timestreamingdatachallenges:

AmazonKinesisFirehose:AserviceenablingyoutoloadmassivevolumesofstreamingdataintoAWS

AmazonKinesisStreams:Aserviceenablingyoutobuildcustomapplicationsformorecomplexanalysisofstreamingdatainrealtime

AmazonKinesisAnalytics:AserviceenablingyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL

Eachoftheseservicescanscaletohandlevirtuallylimitlessdatastreams.

AmazonKinesisFirehoseAmazonKinesisFirehosereceivesstreamdataandstoresitinAmazonS3,AmazonRedshift,orAmazonElasticsearch.Youdonotneedtowriteanycode;justcreateadeliverystreamandconfigurethedestinationforyourdata.ClientswritedatatothestreamusinganAWSAPIcallandthedataisautomaticallysenttotheproperdestination.ThevariousdestinationoptionsareshowninFigure11.3.

FIGURE11.3AmazonKinesisFirehose

WhenconfiguredtosaveastreamtoAmazonS3,AmazonKinesisFirehosesendsthedatadirectlytoAmazonS3.ForanAmazonRedshiftdestination,thedataisfirstwrittentoAmazonS3,andthenanAmazonRedshiftCOPYcommandisexecutedtoloadthedataintoAmazonRedshift.AmazonKinesisFirehosecanalsowritedataouttoAmazonElasticsearch,withtheoptiontobackthedataupconcurrentlytoAmazonS3.

AmazonKinesisStreamsAmazonKinesisStreamsenableyoutocollectandprocesslargestreamsofdatarecordsinrealtime.UsingAWSSDKs,youcancreateanAmazonKinesisStreamsapplicationthatprocessesthedataasitmovesthroughthestream.Becauseresponsetimefordataintakeandprocessingisinnearrealtime,theprocessingistypicallylightweight.AmazonKinesisStreamscanscaletosupportnearlylimitlessdatastreamsbydistributingincomingdataacrossanumberofshards.Ifanyshardbecomestoobusy,itcanbefurtherdividedintomoreshardstodistributetheloadfurther.Theprocessingisthenexecutedonconsumers,whichreaddatafromtheshardsandruntheAmazonKinesisStreamsapplication.ThisarchitectureisshowninFigure11.4.

FIGURE11.4AmazonKinesisStreams

AmazonKinesisAnalyticsAtthetimeofthiswriting,AmazonKinesisAnalyticshasbeenannouncedbutnotyetreleased.

UseCasesTheAmazonKinesisservicessupportmanystrategicworkloadsthatwouldotherwiserequireextensiveefforttodeployandmanage,including,butnotlimitedto:

DataIngestionThefirstchallengewithahugestreamofdataisacceptingitreliably.Whetheritisuserdatafromhighlytraffickedwebsites,inputdatafromthousandsofmonitoringdevices,oranyothersourcesofhugestreams,AmazonKinesisFirehoseisanexcellentchoicetoensurethatallofyourdataissuccessfullystoredinyourAWSinfrastructure.

Real-TimeProcessingofMassiveDataStreamsCompaniesoftenneedtoactonknowledgegleanedfromabigdatastreamrightaway,whethertofeedadashboardapplication,alteradvertisingstrategiesbasedonsocialmediatrends,allocateassetsbasedonreal-timesituations,orahostofotherscenarios.AmazonKinesisStreamsenablesyoutogatherthisknowledgefromthedatainyourstreamonareal-timebasis.

It’sgoodtorememberthatwhileAmazonKinesisisideallysuitedforingestingandprocessingstreamsofdata,itislessappropriateforbatchjobssuchasnightlyExtract,Transform,Load(ETL)processes.Forthosetypesofworkloads,considerAWSDataPipeline,whichisdescribedlaterinthischapter.

AmazonElasticMapReduce(AmazonEMR)AmazonElasticMapReduce(AmazonEMR)providesyouwithafullymanaged,on-demandHadoopframework.AmazonEMRreducesthecomplexityandup-frontcostsofsettingupHadoopand,combinedwiththescaleofAWS,givesyoutheabilitytospinuplargeHadoopclustersinstantlyandstartprocessingwithinminutes.

OverviewWhenyoulaunchanAmazonEMRcluster,youspecifyseveraloptions,themostimportantbeing:

Theinstancetypeofthenodesinyourcluster

Thenumberofnodesinyourcluster

TheversionofHadoopyouwanttorun(AmazonEMRsupportsseveralrecentversionsofApacheHadoop,andalsoseveralversionsofMapRHadoop.)

AdditionaltoolsorapplicationslikeHive,Pig,Spark,orPresto

TherearetwotypesofstoragethatcanbeusedwithAmazonEMR:

HadoopDistributedFileSystem(HDFS)HDFSisthestandardfilesystemthatcomeswithHadoop.Alldataisreplicatedacrossmultipleinstancestoensuredurability.AmazonEMRcanuseAmazonEC2instancestorageorAmazonEBSforHDFS.Whenaclusterisshutdown,instancestorageislostandthedatadoesnotpersist.HDFScanalsomakeuseofAmazonEBSstorage,tradinginthecosteffectivenessofinstancestoragefortheabilitytoshutdownaclusterwithoutlosingdata.

EMRFileSystem(EMRFS)EMRFSisanimplementationofHDFSthatallowsclusterstostoredataonAmazonS3.EMRFSallowsyoutogetthedurabilityandlowcostofAmazonS3whilepreservingyourdataeveniftheclusterisshutdown.

Akeyfactordrivingthetypeofstorageaclusterusesiswhethertheclusterispersistentortransient.Apersistentclustercontinuestorun24×7afteritislaunched.Persistentclustersareappropriatewhencontinuousanalysisisgoingtoberunonthedata.Forpersistentclusters,HDFSisacommonchoice.PersistentclusterstakeadvantageofthelowlatencyofHDFS,especiallyoninstancestorage,whenconstantoperationmeansnodatalostwhenshuttingdownacluster.Inothersituations,bigdataworkloadsarefrequentlyruninconsistently,anditcanbecost-effectivetoturntheclusteroffwhennotinuse.Clustersthatarestartedwhenneededandthenimmediatelystoppedwhendonearecalledtransientclusters.EMRFSiswellsuitedfortransientclusters,asthedatapersistsindependentofthelifetimeofthecluster.YoucanalsochoosetouseacombinationoflocalHDFSandEMRFStomeetyourworkloadneeds.

BecauseAmazonEMRisaninstanceofApacheHadoop,youcanusetheextensiveecosystemoftoolsthatworkontopofHadoop,suchasHive,Pig,andSpark.Manyofthesetoolsarenativelysupportedandcanbeincludedautomaticallywhenyoulaunchyourcluster,whileotherscanbeinstalledthroughbootstrapactions.

UseCasesAmazonEMRiswellsuitedforalargenumberofusecases,including,butnotlimitedto:

LogProcessingAmazonEMRcanbeusedtoprocesslogsgeneratedbywebandmobileapplications.AmazonEMRhelpscustomersturnpetabytesofunstructuredorsemi-structureddataintousefulinsightsabouttheirapplicationsorusers.

ClickstreamAnalysisAmazonEMRcanbeusedtoanalyzeclickstreamdatainordertosegmentusersandunderstanduserpreferences.Advertiserscanalsoanalyzeclickstreams

andadvertisingimpressionlogstodelivermoreeffectiveads.

GenomicsandLifeSciencesAmazonEMRcanbeusedtoprocessvastamountsofgenomicdataandotherlargescientificdatasetsquicklyandefficiently.Processesthatrequireyearsofcomputecanbecompletedinadaywhenscaledacrosslargeclusters.

AWSDataPipelineAWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonEMR.

OverviewEverythinginAWSDataPipelinestartswiththepipelineitself.Apipelineschedulesandrunstasksaccordingtothepipelinedefinition.Theschedulingisflexibleandcanrunevery15minutes,everyday,everyweek,andsoforth.

Thepipelineinteractswithdatastoredindatanodes.Datanodesarelocationswherethepipelinereadsinputdataorwritesoutputdata,suchasAmazonS3,aMySQLdatabase,oranAmazonRedshiftcluster.DatanodescanbeonAWSoronyourpremises.

Thepipelinewillexecuteactivitiesthatrepresentcommonscenarios,suchasmovingdatafromonelocationtoanother,runningHivequeries,andsoforth.Activitiesmayrequireadditionalresourcestorun,suchasanAmazonEMRclusteroranAmazonEC2instance.Inthesesituations,AWSDataPipelinewillautomaticallylaunchtherequiredresourcesandtearthemdownwhentheactivityiscompleted.

Distributeddataflowsoftenhavedependencies;justbecauseanactivityisscheduledtorundoesnotmeanthatthereisdatawaitingtobeprocessed.Forsituationslikethis,AWSDataPipelinesupportspreconditions,whichareconditionalstatementsthatmustbetruebeforeanactivitycanrun.TheseincludescenariossuchaswhetheranAmazonS3keyispresent,whetheranAmazonDynamoDBtablecontainsanydata,andsoforth.

Ifanactivityfails,retryisautomatic.Theactivitywillcontinuetoretryuptothelimityouconfigure.Youcandefineactionstotakeintheeventwhentheactivityreachesthatlimitwithoutsucceeding.

UseCasesAWSDataPipelinecanbeusedforvirtuallyanybatchmodeETLprocess.AsimpleexampleisshowninFigure11.5.

FIGURE11.5Examplepipeline

ThepipelineinFigure11.5isperformingthefollowingworkflow:

Everyhouranactivitybeginstoextractlogdatafromon-premisesstoragetoAmazonS3.Apreconditionchecksthatthereisdatatobetransferredbeforeactuallystartingtheactivity.

ThenextactivitylaunchesatransientAmazonEMRclusterthatusestheextracteddatasetasinput,validatesandtransformsit,andthenoutputsthedatatoanAmazonS3bucket.

ThefinalactivitymovesthetransformeddatafromAmazonS3toAmazonRedshiftviaanAmazonRedshiftCOPYcommand.

AWSDataPipelineisbestforregularbatchprocessesinsteadofforcontinuousdatastreams;useAmazonKinesisfordatastreams.

AWSImport/ExportOnekeychallengeofbigdataontheAWScloudisgettinghugedatasetstothecloudinthefirstplace,orretrievingthembacktoon-premiseswhennecessary.Regardlessofhowmuchbandwidthyouconfigureoutofyourdatacenter,therearetimeswhenthereismoredatatotransferthancanmoveovertheconnectioninareasonableperiodoftime.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource(yourdatacenteroranAWSregion),shippedviastandardshippingmechanisms,andthencopiedtothedestination(yourdatacenteroranAWSregion).

OverviewAWSImport/ExporthastwofeaturesthatsupportshippingdataintoandoutofyourAWSinfrastructure:AWSImport/ExportSnowball(AWSSnowball)andAWSImport/ExportDisk.

AWSSnowballAWSSnowballusesAmazon-providedshippablestorageappliancesshipped

throughUPS.EachAWSSnowballisprotectedbyAWSKMSandmadephysicallyruggedtosecureandprotectyourdatawhilethedeviceisintransit.Atthetimeofthiswriting,AWSSnowballscomeintwosizes:50TBand80TB,andtheavailabilityofeachvariesbyregion.

AWSSnowballprovidesthefollowingfeatures:

Youcanimportandexportdatabetweenyouron-premisesdatastoragelocationsandAmazonS3.

Encryptionisenforced,protectingyourdataatrestandinphysicaltransit.

Youdon’thavetobuyormaintainyourownhardwaredevices.

YoucanmanageyourjobsthroughtheAWSSnowballconsole.

TheAWSSnowballisitsownshippingcontainer,andtheshippinglabelisanEInkdisplaythatautomaticallyshowsthecorrectaddresswhentheAWSSnowballisreadytoship.YoucandropitoffwithUPS,noboxrequired.

WithAWSSnowball,youcanimportorexportterabytesorevenpetabytesofdata.

AWSImport/ExportDiskAWSImport/ExportDisksupportstransfersdatadirectlyontoandoffofstoragedevicesyouownusingtheAmazonhigh-speedinternalnetwork.

ImportantthingstounderstandaboutAWSImport/ExportDiskinclude:

YoucanimportyourdataintoAmazonGlacierandAmazonEBS,inadditiontoAmazonS3.

YoucanexportdatafromAmazonS3.

Encryptionisoptionalandnotenforced.

Youbuyandmaintainyourownhardwaredevices.

Youcan’tmanageyourjobsthroughtheAWSSnowballconsole.

UnlikeAWSSnowball,AWSImport/ExportDiskhasanupperlimitof16TB.

UseCasesAWSImport/ExportcanbeusedforjustaboutanysituationwhereyouhavemoredatatomovethanyoucangetthroughyourInternetconnectioninareasonabletime,including,butnotlimitedto:

StorageMigrationWhencompaniesshutdownadatacenter,theyoftenneedtomovemassiveamountsofstoragetoanotherlocation.AWSImport/Exportisasuitabletechnologyforthisrequirement.

MigratingApplicationsMigratinganapplicationtothecloudofteninvolvesmovinghugeamountsofdata.ThiscanbeacceleratedusingAWSImport/Export.

DevOpsAsorganizationscreatedincreasinglycomplexsoftwareapplications,ITdevelopmentteamsevolvedtheirsoftwarecreationpracticesformoreflexibility,movingfromwaterfallmodelstoagileorleandevelopmentpractices.Thischangealsopropagatedtooperationsteams,whichblurredthelinesbetweentraditionaldevelopmentandoperationsteams.AWSprovidesaflexibleenvironmentthatfacilitatedthesuccessesoforganizationslikeNetflix,Airbnb,GeneralElectric,andmanyothersthatembracedDevOps.ThissectionreviewselementsofAWScloudservicesthatsupportDevOpspractices.

AWSOpsWorksAWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorkswillworkwithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponent,includingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.

AWSOpsWorkssupportsbothLinuxorWindowsservers,includingexistingAmazonEC2instancesorserversrunninginyourowndatacenter.Thisallowsorganizationstouseasingleconfigurationmanagementservicetodeployandoperateapplicationsacrosshybridarchitectures.

OverviewManysolutionsonAWSusuallyinvolvegroupsofresources,suchasAmazonEC2instancesandAmazonRDSinstances,whichmustbecreatedandmanagedcollectively.Forexample,thesearchitecturestypicallyrequireapplicationservers,databaseservers,loadbalancers,andsoon.Thisgroupofresourcesistypicallycalledastack.AsimpleapplicationserverstackmightbearrangedsomethinglikeinFigure11.6.

FIGURE11.6Simpleapplicationserverstack

Inadditiontocreatingtheinstancesandinstallingthenecessarypackages,youtypicallyneedawaytodistributeapplicationstotheapplicationservers,monitorthestack’sperformance,managesecurityandpermissions,andsoon.AWSOpsWorksprovidesasimpleandflexiblewaytocreateandmanagestacksandapplications.Figure11.7depictshowasimpleapplicationserverstackmightlookwithAWSOpsWorks.Althoughrelativelysimple,thisstackshowsthekeyAWSOpsWorksfeatures.

FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks

ThestackisthecoreAWSOpsWorkscomponent.ItisbasicallyacontainerforAWSresources—AmazonEC2instances,AmazonRDSdatabaseinstances,andsoon—thathaveacommonpurposeandmakesensetobelogicallymanagedtogether.Thestackhelpsyoumanagetheseresourcesasagroupanddefinessomedefaultconfigurationsettings,suchastheAmazonEC2instances’operatingsystemandAWSregion.Ifyouwanttoisolatesomestackcomponentsfromdirectuserinteraction,youcanrunthestackinanAmazonVirtualPrivateCloud(AmazonVPC).Eachstackletsyougrantuserspermissiontoaccessthestackandspecifywhatactionstheycantake.

YoucanuseAWSOpsWorksorIAMtomanageuserpermissions.Notethatthetwooptionsarenotmutuallyexclusive;itissometimesdesirabletouseboth.

Youdefinetheelementsofastackbyaddingoneormorelayers.Alayerrepresentsasetofresourcesthatserveaparticularpurpose,suchasloadbalancing,webapplications,orhostingadatabaseserver.YoucancustomizeorextendlayersbymodifyingthedefaultconfigurationsoraddingChefrecipestoperformtaskssuchasinstallingadditionalpackages.Layersgiveyoucompletecontroloverwhichpackagesareinstalled,howtheyareconfigured,howapplicationsaredeployed,andmore.

LayersdependonChefrecipestohandletaskssuchasinstallingpackagesoninstances,

deployingapplications,andrunningscripts.OneofthekeyAWSOpsWorksfeaturesisasetoflifecycleeventsthatautomaticallyrunaspecifiedsetofrecipesattheappropriatetimeoneachinstance.

Aninstancerepresentsasinglecomputingresource,suchasanAmazonEC2instance.Itdefinestheresource’sbasicconfiguration,suchasoperatingsystemandsize.Otherconfigurationsettings,suchasElasticIPaddressesorAmazonEBSvolumes,aredefinedbytheinstance’slayers.Thelayer’srecipescompletetheconfigurationbyperformingtasks,suchasinstallingandconfiguringpackagesanddeployingapplications.

Youstoreapplicationsandrelatedfilesinarepository,suchasanAmazonS3bucketorGitrepo.Eachapplicationisrepresentedbyanapp,whichspecifiestheapplicationtypeandcontainstheinformationthatisneededtodeploytheapplicationfromtherepositorytoyourinstances,suchastherepositoryURLandpassword.Whenyoudeployanapp,AWSOpsWorkstriggersaDeployevent,whichrunstheDeployrecipesonthestack’sinstances.

Usingtheconceptsofstacks,layers,andapps,youcanmodelandvisualizeyourapplicationandresourcesinanorganizedfashion.

Finally,AWSOpsWorkssendsallofyourresourcemetricstoAmazonCloudWatch,makingiteasytoviewgraphsandsetalarmstohelpyoutroubleshootandtakeautomatedactionbasedonthestateofyourresources.AWSOpsWorksprovidesmanycustommetrics,suchasCPUidle,memorytotal,averageloadforoneminute,andmore.Eachinstanceinthestackhasdetailedmonitoringtoprovideinsightsintoyourworkload.

UseCasesAWSOpsWorkssupportsmanyDevOpsefforts,including,butnotlimitedto:

HostMulti-TierWebApplicationsAWSOpsWorksletsyoumodelandvisualizeyourapplicationwithlayersthatdefinehowtoconfigureasetofresourcesthataremanagedtogether.BecauseAWSOpsWorksusestheChefframework,youcanbringyourownrecipesorleveragehundredsofcommunity-builtconfigurations.

SupportContinuousIntegrationAWSOpsWorkssupportsDevOpsprinciples,suchascontinuousintegration.Everythinginyourenvironmentcanbeautomated.

AWSCloudFormationAWSCloudFormationisaservicethathelpsyoumodelandsetupyourAWSresourcessothatyoucanspendlesstimemanagingthoseresourcesandmoretimefocusingonyourapplicationsthatruninAWS.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.

OverviewAWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderly

andpredictablefashion.WhenyouuseAWSCloudFormation,youworkwithtemplatesandstacks.

YoucreateAWSCloudFormationtemplatestodefineyourAWSresourcesandtheirproperties.AtemplateisatextfilewhoseformatcomplieswiththeJSONstandard.AWSCloudFormationusesthesetemplatesasblueprintsforbuildingyourAWSresources.

WhenyouuseAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonce,andthenprovisionthesameresourcesoverandoverinmultipleregions.

WhenyouuseAWSCloudFormation,youmanagerelatedresourcesasasingleunitcalledastack.Youcreate,update,anddeleteacollectionofresourcesbycreating,updating,anddeletingstacks.Alloftheresourcesinastackaredefinedbythestack’sAWSCloudFormationtemplate.SupposeyoucreatedatemplatethatincludesanAutoScalinggroup,ElasticLoadBalancingloadbalancer,andanAmazonRDSdatabaseinstance.Tocreatethoseresources,youcreateastackbysubmittingyourtemplatethatdefinesthoseresources,andAWSCloudFormationhandlesalloftheprovisioningforyou.Afteralloftheresourceshavebeencreated,AWSCloudFormationreportsthatyourstackhasbeencreated.Youcanthenstartusingtheresourcesinyourstack.Ifstackcreationfails,AWSCloudFormationrollsbackyourchangesbydeletingtheresourcesthatitcreated.

Oftenyouwillneedtolaunchstacksfromthesametemplate,butwithminorvariations,suchaswithinadifferentAmazonVPCorusingAMIsfromadifferentregion.Thesevariationscanbeaddressedusingparameters.Youcanuseparameterstocustomizeaspectsofyourtemplateatruntime,whenthestackisbuilt.Forexample,youcanpasstheAmazonRDSdatabasesize,AmazonEC2instancetypes,database,andwebserverportnumberstoAWSCloudFormationwhenyoucreateastack.Byleveragingtemplateparameters,youcanuseasingletemplateformanyinfrastructuredeploymentswithdifferentconfigurationvalues.Forexample,yourAmazonEC2instancetypes,AmazonCloudWatchalarmthresholds,andAmazonRDSread-replicasettingsmaydifferamongAWSregionsifyoureceivemorecustomertrafficintheUnitedStatesthaninEurope.Youcanusetemplateparameterstotunethesettingsandthresholdsineachregionseparatelyandstillbesurethattheapplicationisdeployedconsistentlyacrosstheregions.

Figure11.8depictstheAWSCloudFormationworkflowforcreatingstacks.

FIGURE11.8Creatingastackworkflow

Becauseenvironmentsaredynamicinnature,youinevitablywillneedtoupdateyourstack’sresourcesfromtimetotime.Thereisnoneedtocreateanewstackanddeletetheoldone;youcansimplymodifytheexistingstack’stemplate.Toupdateastack,createachangesetbysubmittingamodifiedversionoftheoriginalstacktemplate,differentinputparametervalues,orboth.AWSCloudFormationcomparesthemodifiedtemplatewiththeoriginaltemplateandgeneratesachangeset.Thechangesetliststheproposedchanges.Afterreviewingthechanges,youcanexecutethechangesettoupdateyourstack.Figure11.9depictstheworkflowforupdatingastack.

FIGURE11.9Updatingastackworkflow

Whenthetimecomesandyouneedtodeleteastack,AWSCloudFormationdeletesthestackandalloftheresourcesinthatstack.

Ifyouwanttodeleteastackbutstillretainsomeresourcesinthatstack,youcanuseadeletionpolicytoretainthoseresources.Ifaresourcehasnodeletionpolicy,AWSCloudFormationdeletestheresourcebydefault.

Afteralloftheresourceshavebeendeleted,AWSCloudFormationsignalsthatyourstackhasbeensuccessfullydeleted.IfAWSCloudFormationcannotdeletearesource,thestackwillnotbedeleted.Anyresourcesthathaven’tbeendeletedwillremainuntilyoucansuccessfullydeletethestack.

UseCaseByallowingyoutoreplicateyourentireinfrastructurestackeasilyandquickly,AWSCloudFormationenablesavarietyofusecases,including,butnotlimitedto:

QuicklyLaunchNewTestEnvironmentsAWSCloudFormationletstestingteamsquicklycreateacleanenvironmenttoruntestswithoutdisturbingongoingeffortsinotherenvironments.

ReliablyReplicateConfigurationBetweenEnvironmentsBecauseAWSCloudFormationscriptstheentireenvironment,humanerroriseliminatedwhencreatingnewstacks.

LaunchApplicationsinNewAWSRegionsAsinglescriptcanbeusedacrossmultipleregionstolaunchstacksreliablyindifferentmarkets.

AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.

OverviewAWScomprisesdozensofbuildingblockservices,eachofwhichexposesanareaoffunctionality.WhilethevarietyofservicesoffersflexibilityforhoworganizationswanttomanagetheirAWSinfrastructure,itcanbechallengingtofigureoutwhichservicestouseandhowtoprovisionthem.WithAWSElasticBeanstalk,youcanquicklydeployandmanageapplicationsontheAWScloudwithoutworryingabouttheinfrastructurethatrunsthoseapplications.AWSElasticBeanstalkreducesmanagementcomplexitywithoutrestrictingchoiceorcontrol.

TherearekeycomponentsthatcompriseAWSElasticBeanstalkandworktogethertoprovidethenecessaryservicestodeployandmanageapplicationseasilyinthecloud.AnAWSElasticBeanstalkapplicationisthelogicalcollectionoftheseAWSElasticBeanstalkcomponents,whichincludesenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.

Anapplicationversionreferstoaspecific,labelediterationofdeployablecodeforawebapplication.AnapplicationversionpointstoanAmazonS3objectthatcontainsthedeployablecode.Applicationscanhavemanyversionsandeachapplicationversionisunique.Inarunningenvironment,organizationscandeployanyapplicationversiontheyalreadyuploadedtotheapplication,ortheycanuploadandimmediatelydeployanewapplicationversion.Organizationsmightuploadmultipleapplicationversionstotestdifferencesbetweenoneversionoftheirwebapplicationandanother.

AnenvironmentisanapplicationversionthatisdeployedontoAWSresources.Eachenvironmentrunsonlyasingleapplicationversionatatime;however,thesameversionordifferentversionscanruninasmanyenvironmentsatthesametimeasneeded.Whenanenvironmentiscreated,AWSElasticBeanstalkprovisionstheresourcesneededtoruntheapplicationversionthatisspecified.

Anenvironmentconfigurationidentifiesacollectionofparametersandsettingsthatdefinehowanenvironmentanditsassociatedresourcesbehave.Whenanenvironment’sconfigurationsettingsareupdated,AWSElasticBeanstalkautomaticallyappliesthechangestoexistingresourcesordeletesanddeploysnewresourcesdependingonthetypeofchange.

WhenanAWSElasticBeanstalkenvironmentislaunched,theenvironmenttier,platform,andenvironmenttypearespecified.TheenvironmenttierthatischosendetermineswhetherAWSElasticBeanstalkprovisionsresourcestosupportawebapplicationthathandlesHTTP(S)requestsoranapplicationthathandlesbackground-processingtasks.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Anenvironmenttierwhoseapplicationrunsbackgroundjobsisknownasaworkertier.

Atthetimeofthiswriting,AWSElasticBeanstalkprovidesplatformsupportfortheprogramminglanguagesJava,Node.js,PHP,Python,Ruby,andGowithsupportforthewebcontainersTomcat,Passenger,Puma,andDocker.

UseCasesAcompanyprovidesawebsiteforprospectivehomebuyers,sellers,andrenterstobrowsehomeandapartmentlistingsformorethan110millionhomes.Thewebsiteprocessesmorethanthreemillionnewimagesdaily.Itreceivesmorethan17,000imagerequestspersecondonitswebsiteduringpeaktrafficfrombothdesktopandmobileclients.

Thecompanywaslookingforwaystobemoreagilewithdeploymentsandempoweritsdeveloperstofocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks.ItbeganusingAWSElasticBeanstalkastheservicefordeployingandscalingthewebapplicationsandservices.DeveloperswereempoweredtouploadcodetoAWSElasticBeanstalk,whichthenautomaticallyhandledthedeployment,fromcapacityprovisioning,loadbalancing,andAutoScaling,toapplicationhealthmonitoring.

Becausethecompanyingestsdatainahaphazardway,runningfeedsthatdumpatonofworkintotheimageprocessingsystemallatonce,itneedstoscaleupitsimageconverterfleettomeetpeakdemand.ThecompanydeterminedthatanAWSElasticBeanstalkworkerfleettorunaPythonImagingLibrarywithcustomcodewasthesimplestwaytomeettherequirement.Thiseliminatedtheneedtohaveanumberofstaticinstancesor,worse,tryingtowritetheirownAutoScalingconfiguration.

BymakingthemovetoAWSElasticBeanstalk,thecompanywasabletoreduceoperatingcostswhileincreasingagilityandscalabilityforitsimageprocessinganddeliverysystem.

KeyFeaturesAWSElasticBeanstalkprovidesseveralmanagementfeaturesthateasedeploymentandmanagementofapplicationsonAWS.Organizationshaveaccesstobuilt-inAmazonCloudWatchmonitoringmetricssuchasaverageCPUutilization,requestcount,andaverage

latency.TheycanreceiveemailnotificationsthroughAmazonSNSwhenapplicationhealthchangesorapplicationserversareaddedorremoved.Serverlogsfortheapplicationserverscanbeaccessedwithoutneedingtologin.OrganizationscanevenelecttohaveupdatesappliedautomaticallytotheunderlyingplatformrunningtheapplicationsuchastheAMI,operatingsystem,languageandframework,andapplicationorproxyserver.

Additionally,developersretainfullcontrolovertheAWSresourcespoweringtheirapplicationandcanperformavarietyoffunctionsbysimplyadjustingtheconfigurationsettings.Theseincludesettingssuchas:

SelectingthemostappropriateAmazonEC2instancetypethatmatchestheCPUandmemoryrequirementsoftheirapplication

ChoosingtherightdatabaseandstorageoptionssuchasAmazonRDS,AmazonDynamoDB,MicrosoftSQLServer,andOracle

EnablingloginaccesstoAmazonEC2instancesforimmediateanddirecttroubleshooting

EnhancingapplicationsecuritybyenablingHTTPSprotocolontheloadbalancer

Adjustingapplicationserversettings(forexample,JVMsettings)andpassingenvironmentvariables

AdjustAutoScalingsettingstocontrolthemetricsandthresholdsusedtodeterminewhentoaddorremoveinstancesfromanenvironment

WithAWSElasticBeanstalk,organizationscandeployanapplicationquicklywhileretainingasmuchcontrolastheywanttohaveovertheunderlyinginfrastructure.

AWSTrustedAdvisorAWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservingoveramillionAWScustomers.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.YoucanviewtheoverallstatusofyourAWSresourcesandsavingsestimationsontheAWSTrustedAdvisordashboard.

AWSTrustedAdvisorisaccessedintheAWSManagementConsole.Additionally,programmaticaccesstoAWSTrustedAdvisorisavailablewiththeAWSSupportAPI.

AWSTrustedAdvisorprovidesbestpracticesinfourcategories:costoptimization,security,faulttolerance,andperformanceimprovement.Thestatusofthecheckisshownbyusingcolorcodingonthedashboardpage,asdepictedinFigure11.10.

FIGURE11.10AWSTrustedAdvisorConsoledashboard

Thecolorcodingreflectsthefollowinginformation:

Red:Actionrecommended

Yellow:Investigationrecommended

Green:Noproblemdetected

Foreachcheck,youcanreviewadetaileddescriptionoftherecommendedbestpractice,asetofalertcriteria,guidelinesforaction,andalistofusefulresourcesonthetopic.

AllAWScustomershaveaccesstofourAWSTrustedAdvisorchecksatnocost.ThefourstandardAWSTrustedAdvisorchecksare:

ServiceLimitsChecksforusagethatismorethan80percentoftheservicelimit.Thesevaluesarebasedonasnapshot,socurrentusagemightdifferandcantakeupto24hourstoreflectchanges.

SecurityGroups–SpecificPortsUnrestrictedCheckssecuritygroupsforrulesthatallowunrestrictedaccess(0.0.0.0/0)tospecificports

IAMUseChecksforyouruseofAWSIAM

MFAonRootAccountCheckstherootaccountandwarnsifMFAisnotenabled

CustomerswithaBusinessorEnterpriseAWSSupportplancanviewallAWSTrustedAdvisorchecks—over50checks.

TheremaybeoccasionswhenaparticularcheckisnotrelevanttosomeresourcesinyourAWSenvironment.Youhavetheabilitytoexcludeitemsfromacheckandoptionallyrestorethemlateratanytime.AWSTrustedAdvisoractslikeacustomizedcloudexpert,andithelpsorganizationsprovisiontheirresourcesbyfollowingbestpracticeswhileidentifyinginefficiencies,waste,potentialcostsavings,andsecurityissues.

AWSConfigAWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

OverviewAWSConfigprovidesadetailedviewoftheconfigurationofAWSresourcesinyourAWSaccount.Thisincludeshowtheresourcesarerelatedandhowtheywereconfiguredinthepastsothatyoucanseehowtheconfigurationsandrelationshipschangeovertime.AWSConfigdefinesaresourceasanentityyoucanworkwithinAWS,suchasanAmazonEC2instance,anAmazonEBSvolume,asecuritygroup,oranAmazonVPC.

WhenyouturnonAWSConfig,itfirstdiscoversthesupportedAWSresourcesthatexistinyouraccountandgeneratesaconfigurationitemforeachresource.Aconfigurationitemrepresentsapoint-in-timeviewofthevariousattributesofasupportedAWSresourcethatexistsinyouraccount.Thecomponentsofaconfigurationitemincludemetadata,attributes,relationships,currentconfiguration,andrelatedevents.

AWSConfigwillgenerateconfigurationitemswhentheconfigurationofaresourcechanges,anditmaintainshistoricalrecordsoftheconfigurationitemsofyourresourcesfromthetimeyoustarttheconfigurationrecorder.Theconfigurationrecorderstorestheconfigurationsofthesupportedresourcesinyouraccountasconfigurationitems.Bydefault,AWSConfigcreatesconfigurationitemsforeverysupportedresourceintheregion.Ifyoudon’twantAWSConfigtocreateconfigurationitemsforallsupportedresources,youcanspecifytheresourcetypesthatyouwantittotrack.

Organizationsoftenneedtoassesstheoverallcomplianceandriskstatusfromaconfigurationperspective,viewcompliancetrendsovertime,andpinpointwhichconfigurationchangecausedaresourcetodriftoutofcompliance.AnAWSConfigRulerepresentsdesiredconfigurationsettingsforspecificAWSresourcesorforanentireAWSaccount.WhileAWSConfigcontinuouslytracksyourresourceconfigurationchanges,itcheckswhetherthesechangesviolateanyoftheconditionsinyourrules.Ifaresourceviolatesarule,AWSConfigflagstheresourceandtheruleasnoncompliantandnotifiesyouthroughAmazonSNS.

AWSConfigmakesiteasytotrackresourceconfigurationwithouttheneedforup-frontinvestmentsandwhileavoidingthecomplexityofinstallingandupdatingagentsfordatacollectionormaintaininglargedatabases.OnceAWSConfigisenabled,organizationscanviewcontinuouslyupdateddetailsofallconfigurationattributesassociatedwithAWSresources.

UseCasesSomeoftheinfrastructuremanagementtasksAWSConfigenablesinclude:

DiscoveryAWSConfigwilldiscoverresourcesthatexistinyouraccount,recordtheir

currentconfiguration,andcaptureanychangestotheseconfigurations.AWSConfigwillalsoretainconfigurationdetailsforresourcesthathavebeendeleted.Acomprehensivesnapshotofallresourcesandtheirconfigurationattributesprovidesacompleteinventoryofresourcesinyouraccount.

ChangeManagementWhenyourresourcesarecreated,updated,ordeleted,AWSConfigstreamstheseconfigurationchangestoAmazonSNSsothatyouarenotifiedofallconfigurationchanges.AWSConfigrepresentsrelationshipsbetweenresources,soyoucanassesshowachangetooneresourcemayaffectotherresources.

ContinuousAuditandComplianceAWSConfigandAWSConfigRulesaredesignedtohelpyouassesscompliancewithinternalpoliciesandregulatorystandardsbyprovidingvisibilityintotheconfigurationofaresourceatanytimeandevaluatingrelevantconfigurationchangesagainstrulesthatyoucandefine.

TroubleshootingUsingAWSConfig,youcanquicklytroubleshootoperationalissuesbyidentifyingtherecentconfigurationchangestoyourresources.

SecurityandIncidentAnalysisProperlyconfiguredresourcesimproveyoursecurityposture.DatafromAWSConfigenablesyoutomonitortheconfigurationsofyourresourcescontinuouslyandevaluatetheseconfigurationsforpotentialsecurityweaknesses.Afterapotentialsecurityevent,AWSConfigenablesyoutoexaminetheconfigurationofyourresourcesatanysinglepointinthepast.

KeyFeaturesInthepast,organizationsneededtopollresourceAPIsandmaintaintheirownexternaldatabaseforchangemanagement.AWSConfigresolvesthispreviousneedandautomaticallyrecordsresourceconfigurationinformationandwillevaluateanyrulesthataretriggeredbyachange.Theconfigurationoftheresourceanditsoverallcomplianceagainstrulesarepresentedinadashboard.

AWSConfigintegrateswithAWSCloudTrail,aservicethatrecordsAWSAPIcallsforanaccountanddeliversAPIusagelogfilestoanAmazonS3bucket.IftheconfigurationchangeofaresourcewastheresultofanAPIcall,AWSConfigalsorecordstheAWSCloudTraileventIDthatcorrespondstotheAPIcallthatchangedtheresource’sconfiguration.OrganizationscanthenleveragetheAWSCloudTraillogstoobtaindetailsoftheAPIcallthatwasmade—includingwhomadetheAPIcall,atwhattime,andfromwhichIPaddress—tousefortroubleshootingpurposes.

WhenaconfigurationchangeismadetoaresourceorwhenthecomplianceofanAWSConfigrulechanges,anotificationmessageisdeliveredthatcontainstheupdatedconfigurationoftheresourceorcompliancestateoftheruleandkeyinformationsuchastheoldandnewvaluesforeachchangedattribute.Additionally,AWSConfigsendsnotificationswhenaConfigurationHistoryfileisdeliveredtoAmazonS3andwhenthecustomerinitiatesaConfigurationSnapshot.ThesemessagesareallstreamedtoanAmazonSNStopicthatyouspecify.

OrganizationscanusetheAWSManagementConsole,API,orAWSCLItoobtaindetailsofwhataresource’sconfigurationlookedlikeatanypointinthepast.AWSConfigwillalsoautomaticallydeliverahistoryfiletotheAmazonS3bucketyouspecifyeverysixhoursthat

containsallchangestoyourresourceconfigurations.

SummaryInthischapter,youlearnedaboutadditionalkeyAWScloudservices,manyofwhichwillbecoveredonyourAWSCertifiedSolutionsArchitect–Associateexam.Theseservicesaregroupedintofourcategoriesofservices:storageandcontentdelivery,security,analytics,andDevOps.

Inthestorageandcontentdeliverygroup,wecoveredAmazonCloudFrontandAWSStorageGateway.AmazonCloudFrontisaglobalCDNservice.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AWSStorageGatewayisaservicethatconnectsanon-premisessoftwareappliancewithcloud-basedstorage.Itprovidesseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheAWSStorageGatewayappliancemaintainsfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.

TheserviceswecoveredinsecurityfocusedonIdentityManagement(AWSDirectoryService),KeyManagement(AWSKMSAWSCloudHSM),andAudit(AWSCloudTrail).AWSDirectoryServiceisamanagedserviceoffering,providingdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.AWSDirectoryServiceisofferedinthreetypes:AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),SimpleAD,andADConnector.

Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.

RoundingoutthesecurityservicesisAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.

Theanalyticsservicescoveredhelpyouovercometheuniquelistofchallengesassociatedwithbigdataintoday’sITworld.AmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.AmazonEMRprovidesyouwithafullymanaged,on-demandHadoopframework.Thereductionofcomplexityandup-frontcostscombinedwiththescaleofAWSmeansyoucaninstantlyspinuplargeHadoopclustersandstartprocessing

withinminutes.

Tosupplementthebigdatachallenges,orchestratingdatamovementcomeswithitsownchallenges.AWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRDS,AmazonDynamoDB,andAmazonEMR.Additionally,AWSImport/Exporthelpswhenyou’refacedwiththechallengeofgettinghugedatasetsintoAWSinthefirstplaceorretrievingthembacktoon-premiseswhennecessary.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource,shippedviastandardshippingmechanisms,andthencopiedtothedestination.

AWScontinuestoevolveservicesinsupportoforganizationsembracingDevOps.ServicessuchasAWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,andAWSConfigareleadingthewayforDevOpsonAWS.AWSOpsWorksprovidesaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorksworkswithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.AWSElasticBeanstalkallowsdeveloperstosimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.AWSConfigdeliversafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationshavetheinformationnecessaryforcomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

Thekeyadditionalservicescoveredinthischapterwillhelpyouformaknowledgebasetounderstandthenecessitiesfortheexam.AsyoucontinuetogrowasaSolutionsArchitect,divingdeeperintotheAWScloudservicesasawholewillexpandyourabilitytodefinewellarchitectedsolutionsacrossawidevarietyofbusinessverticalsandusecases.

ExamEssentialsKnowthebasicusecasesforamazonCloudFront.KnowwhentouseAmazonCloudFront(forpopularstaticanddynamiccontentwithgeographicallydistributedusers)andwhennotto(allusersatasinglelocationorconnectingthroughacorporateVPN).

KnowhowamazonCloudFrontworks.AmazonCloudFrontoptimizesdownloadsbyusinggeolocationtoidentifythegeographicallocationofusers,thenservingandcachingcontentattheedgelocationclosesttoeachusertomaximizeperformance.

KnowhowtocreateanamazonCloudFrontdistributionandwhattypesoforiginsaresupported.Tocreateadistribution,youspecifyanoriginandthetypeofdistribution,andAmazonCloudFrontcreatesanewdomainnameforthedistribution.OriginssupportedincludeAmazonS3bucketsorstaticAmazonS3websitesandHTTPserverslocatedinAmazonEC2orinyourowndatacenter.

KnowhowtouseamazonCloudFrontfordynamiccontentandmultipleorigins.Understandhowtospecifymultipleoriginsfordifferenttypesofcontentandhowtousecachebehaviorsandpathstringstocontrolwhatcontentisservedbywhichorigin.

KnowwhatmechanismsareavailabletoserveprivatecontentthroughamazonCloudFront.AmazonCloudFrontcanserveprivatecontentusingAmazonS3OriginAccessIdentifiers,signedURLs,andsignedcookies.

KnowthethreeconfigurationsofAWSstoragegatewayandtheirusecases.Gateway-Cachedvolumesexpandyouron-premisesstorageintoAmazonS3andcachefrequentlyusedfileslocally.Gateway-StoredvalueskeepallyourdataavailablelocallyatalltimesandalsoreplicateitasynchronouslytoAmazonS3.Gateway-VTLenablesyoutokeepyourcurrentbackuptapesoftwareandprocesseswhileeliminatingphysicaltapesbystoringyourdatainthecloud.

UnderstandthevalueofAWSDirectoryService.AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.

KnowtheAWSDirectoryServiceDirectorytypes.AWSDirectoryServiceoffersthreedirectorytypes:

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD

SimpleAD

ADConnector

KnowwhenyoushoulduseAWSDirectoryServiceforMicrosoftActiveDirectory.YoushoulduseMicrosoftActiveDirectoryifyouhavemorethan5,000usersorneedatrustrelationshipsetupbetweenanAWShosteddirectoryandyouron-premisesdirectories.

Understandkeymanagement.Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,

andreplacementofkeys.

UnderstandwhenyoushoulduseAWSKMS.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontrolthesymmetricencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandwhichcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.

UnderstandwhenyoushoulduseAWSCloudHSM.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedhardwaresecuritymoduleapplianceswithintheAWScloud.

UnderstandthevalueofAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.ThishelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.

KnowthethreeservicesofAmazonkinesisandtheirusecases.AmazonKinesisFirehoseallowsyoutoloadmassivevolumesofstreamingdataintoAWS.AmazonKinesisAnalyticsenablesyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL.AmazonKinesisStreamsenablesyoutobuildcustomapplicationsthatprocessoranalyzestreamingdatarealtimeforspecializedneeds.

KnowwhatserviceAmazonEMRprovides.AmazonEMRprovidesamanagedHadoopserviceonAWSthatallowsyoutospinuplargeHadoopclustersinminutes.

Knowthedifferencebetweenpersistentandtransientclusters.Persistentclustersruncontinuously,sotheydonotlosedatastoredoninstance-basedHDFS.Transientclustersarelaunchedforaspecifictask,thenterminated,sotheyaccessdataonAmazonS3viaEMRFS.

KnowtheusecasesforAmazonEMR.AmazonEMRisusefulforbigdataanalyticsinvirtuallyanyindustry,including,butnotlimitedto,logprocessing,clickstreamanalysis,andgenomicsandlifesciences.

KnowtheusecasesforAWSdatapipeline.AWSDataPipelinecanmanagebatchETLprocessesatscaleonthecloud,accessingdatabothinAWSandon-premises.ItcantakeadvantageofAWScloudservicesbyspinningupresourcesrequiredfortheprocess,suchasAmazonEC2instancesorAmazonEMRclusters.

KnowthetypesofAWSimport/exportservicesandthepossiblesources/destinationsofeach.AWSSnowballisAmazonshippableappliancessuppliedreadytoship.Itcantransferdatatoandfromyouron-premisesstorageandtoandfromAmazonS3.AWSImport/ExportDiskusesyourstoragedevicesand,inadditiontotransferringdatainandoutofyouron-premisesstorage,canimportdatatoAmazonS3,AmazonEBS,andAmazonS3;itcanonlyexportdatafromAmazonS3.

UnderstandthebasicsofAWSopsworks.AWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsofallshapesandsizesusingChef.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponentincludingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.

UnderstandthevalueofAWScloudformation.AWSCloudFormationisaservicethat

helpsyoumodelandsetupyourAWSresources.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayyouwoulddowithsoftware.

UnderstandthevalueofAWSelasticbeanstalk.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.

UnderstandthecomponentsofAWSelasticbeanstalk.AnAWSElasticBeanstalkapplicationisthelogicalcollectionofenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.

UnderstandthevalueofAWSconfig.AWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistinganddeletedAWSresources,determinetheiroverallcomplianceagainstrulesanddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

ReviewQuestions1. WhatoriginserversaresupportedbyAmazonCloudFront?(Choose3answers)

A. AnAmazonRoute53HostedZone

B. AnAmazonSimpleStorageService(AmazonS3)bucket

C. AnHTTPserverrunningonAmazonElasticComputeCloud(AmazonEC2)

D. AnAmazonEC2AutoScalingGroup

E. AnHTTPserverrunningon-premises

2. WhichofthefollowingaregoodusecasesforAmazonCloudFront?(Choose2answers)

A. Apopularsoftwaredownloadsitethatsupportsusersaroundtheworld,withdynamiccontentthatchangesrapidly

B. Acorporatewebsitethatservestrainingvideostoemployees.Mostemployeesarelocatedintwocorporatecampusesinthesamecity.

C. Aheavilyusedvideoandmusicstreamingservicethatrequirescontenttobedeliveredonlytopaidsubscribers

D. AcorporateHRwebsitethatsupportsaglobalworkforce.Becausethesitecontainssensitivedata,allusersmustconnectthroughacorporateVirtualPrivateNetwork(VPN).

3. YouhaveawebapplicationthatcontainsbothstaticcontentinanAmazonSimpleStorageService(AmazonS3)bucket—primarilyimagesandCSSfiles—andalsodynamiccontentcurrentlyservedbyaPHPwebapprunningonAmazonElasticComputeCloud(AmazonEC2).WhatfeaturesofAmazonCloudFrontcanbeusedtosupportthisapplicationwithasingleAmazonCloudFrontdistribution?

4. (Choose2answers)

A. MultipleOriginAccessIdentifiers

B. MultiplesignedURLs

C. Multipleorigins

D. Multipleedgelocations

E. Multiplecachebehaviors

5. Youarebuildingamedia-sharingwebapplicationthatservesvideofilestoendusersonbothPCsandmobiledevices.ThemediafilesarestoredasobjectsinanAmazonSimpleStorageService(AmazonS3)bucket,butaretobedeliveredthroughAmazonCloudFront.WhatisthesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstotheobjectsintheAmazonS3bucket?

A. CreateSignedURLsforeachAmazonS3object.

B. UseanAmazonCloudFrontOriginAccessIdentifier(OAI).

C. Usepublicandprivatekeyswithsignedcookies.

D. UseanAWSIdentityandAccessManagement(IAM)bucketpolicy.

6. Yourcompanydatacenteriscompletelyfull,butthesalesgrouphasdeterminedaneedtostore200TBofproductvideo.Thevideoswerecreatedoverthelastseveralyears,withthemostrecentbeingaccessedbysalesthemostoften.Thedatamustbeaccessedlocally,butthereisnospaceinthedatacentertoinstalllocalstoragedevicestostorethisdata.WhatAWScloudservicewillmeetsales’requirements?

A. AWSStorageGatewayGateway-Storedvolumes

B. AmazonElasticComputeCloud(AmazonEC2)instanceswithattachedAmazonEBSVolumes

C. AWSStorageGatewayGateway-Cachedvolumes

D. AWSImport/ExportDisk

7. YourcompanywantstoextendtheirexistingMicrosoftActiveDirectorycapabilityintoanAmazonVirtualPrivateCloud(AmazonVPC)withoutestablishingatrustrelationshipwiththeexistingon-premisesActiveDirectory.Whichofthefollowingisthebestapproachtoachievethisgoal?

A. CreateandconnectanAWSDirectoryServiceADConnector.

B. CreateandconnectanAWSDirectoryServiceSimpleAD.

C. CreateandconnectanAWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition).

D. Noneoftheabove

8. WhichofthefollowingareAWSKeyManagementService(AWSKMS)keysthatwillneverexitAWSunencrypted?

A. AWSKMSdatakeys

B. Envelopeencryptionkeys

C. AWSKMSCustomerMasterKeys(CMKs)

D. AandC

9. WhichcryptographicmethodisusedbyAWSKeyManagementService(AWSKMS)toencryptdata?

A. Password-basedencryption

B. Asymmetric

C. Sharedsecret

D. Envelopeencryption

10. WhichAWSservicerecordsApplicationProgramInterface(API)callsmadeonyouraccountanddeliverslogfilestoyourAmazonSimpleStorageService(AmazonS3)bucket?

A. AWSCloudTrail

B. AmazonCloudWatch

C. AmazonKinesis

D. AWSDataPipeline

11. YouaretryingtodecryptciphertextwithAWSKMSandthedecryptionoperationisfailing.Whichofthefollowingarepossiblecauses?(Choose2answers)

A. Theprivatekeydoesnotmatchthepublickeyintheciphertext.

B. Theplaintextwasencryptedalongwithanencryptioncontext,andyouarenotprovidingtheidenticalencryptioncontextwhencallingtheDecryptAPI.

C. Theciphertextyouaretryingtodecryptisnotvalid.

D. YouarenotprovidingthecorrectsymmetrickeytotheDecryptAPI.

12. Yourcompanyhas30yearsoffinancialrecordsthattakeup15TBofon-premisesstorage.Itisregulatedthatyoumaintaintheserecords,butintheyearyouhaveworkedforthecompanynoonehaseverrequestedanyofthisdata.GiventhatthecompanydatacenterisalreadyfillingthebandwidthofitsInternetconnection,whatisanalternativewaytostorethedataonthemostappropriatecloudstorage?

A. AWSImport/ExporttoAmazonSimpleStorageService(AmazonS3)

B. AWSImport/ExporttoAmazonGlacier

C. AmazonKinesis

D. AmazonElasticMapReduce(AWSEMR)

13. Yourcompanycollectsinformationfromthepointofsaleregistersatallofitsfranchiselocations.Eachmonththeseprocessescollect200TBofinformationstoredinAmazonSimpleStorageService(AmazonS3).Analyticsjobstaking24hoursareperformedtogatherknowledgefromthisdata.Whichofthefollowingwillallowyoutoperformtheseanalyticsinacost-effectiveway?

A. CopythedatatoapersistentAmazonElasticMapReduce(AmazonEMR)cluster,andruntheMapReducejobs.

B. CreateanapplicationthatreadstheinformationoftheAmazonS3bucketandrunsitthroughanAmazonKinesisstream.

C. RunatransientAmazonEMRcluster,andruntheMapReducejobsagainstthedatadirectlyinAmazonS3.

D. Launchad2.8xlarge(32vCPU,244GBRAM)AmazonElasticComputeCloud(AmazonEC2)instance,andrunanapplicationtoreadandprocesseachobjectsequentially.

14. Whichserviceallowsyoutoprocessnearlylimitlessstreamsofdatainflight?

A. AmazonKinesisFirehose

B. AmazonElasticMapReduce(AmazonEMR)

C. AmazonRedshift

D. AmazonKinesisStreams

15. Whatcombinationofservicesenableyoutocopydaily50TBofdatatoAmazonstorage,processthedatainHadoop,andstoretheresultsinalargedatawarehouse?

A. AmazonKinesis,AmazonDataPipeline,AmazonElasticMapReduce(AmazonEMR),andAmazonElasticComputeCloud(AmazonEC2)

B. AmazonElasticBlockStore(AmazonEBS),AmazonDataPipeline,AmazonEMR,andAmazonRedshift

C. AmazonSimpleStorageService(AmazonS3),AmazonDataPipeline,AmazonEMR,andAmazonRedshift

D. AmazonS3,AmazonSimpleWorkflow,AmazonEMR,andAmazonDynamoDB

16. Yourcompanyhas50,000weatherstationsaroundthecountrythatsendupdatesevery2seconds.WhatservicewillenableyoutoingestthisstreamofdataandstoreittoAmazonSimpleStorageService(AmazonS3)forfutureprocessing?


B. AmazonKinesisFirehose

C. AmazonElasticComputeCloud(AmazonEC2)

D. AmazonDataPipeline

17. YourorganizationusesChefheavilyforitsdeploymentautomation.WhatAWScloudserviceprovidesintegrationwithChefrecipestostartnewapplicationserverinstances,configureapplicationserversoftware,anddeployapplications?

A. AWSElasticBeanstalk

B. AmazonKinesis

C. AWSOpsWorks


18. AfirmismovingitstestingplatformtoAWStoprovidedeveloperswithinstantaccesstocleantestanddevelopmentenvironments.Theprimaryrequirementforthefirmistomakeenvironmentseasilyreproducibleandfungible.Whatservicewillhelpthefirmmeettheirrequirements?

A. AWSCloudFormation

B. AWSConfig

C. AmazonRedshift

D. AWSTrustedAdvisor

19. Yourcompany’sITmanagementteamislookingforanonlinetooltoproviderecommendationstosavemoney,improvesystemavailabilityandperformance,andtohelpclosesecuritygaps.Whatcanhelpthemanagementteam?

A. Cloud-init

B. AWSTrustedAdvisor

C. AWSConfig

D. ConfigurationRecorder

20. YourcompanyworkswithdatathatrequiresfrequentauditsofyourAWSenvironmenttoensurecompliancewithinternalpoliciesandbestpractices.Inordertoperformtheseaudits,youneedaccesstohistoricalconfigurationsofyourresourcestoevaluaterelevantconfigurationchanges.Whichservicewillprovidethenecessaryinformationforyouraudits?

A. AWSConfig

B. AWSKeyManagementService(AWSKMS)

C. AWSCloudTrail

D. AWSOpsWorks

21. Allofthewebsitedeploymentsarecurrentlydonebyyourcompany’sdevelopmentteam.Withasurgeinwebsitepopularity,thecompanyislookingforwaystobemoreagilewithdeployments.WhatAWScloudservicecanhelpthedevelopersfocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks?

A. AWSConfig

B. AWSTrustedAdvisor

C. AmazonKinesis

D. AWSElasticBeanstalk

Chapter12SecurityonAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain3.0:DataSecurity



AWSsharedresponsibilitymodel


AWSsecurityattributes(customerworkloadsdowntophysicallayer)


AWSIdentityandAccessManagement(IAM)

AmazonVirtualPrivateCloud(AmazonVPC)

AWSCloudTrail

Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit

CoreAmazonElasticComputeCloud(AmazonEC2)andAmazonSimpleStorageService(AmazonS3)securityfeaturesets

Incorporatingcommonconventionalsecurityproducts(Firewall,VirtualPrivateNetwork[VPN])

DenialofService(DoS)mitigation


Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)

IntroductionCloudsecurityisthefirstpriorityatAWS.AllAWScustomersbenefitfromadatacenterandnetworkarchitecturethatisbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersoffertoolsandfeaturestohelpyoumeetyoursecurityobjectivesaroundvisibility,auditability,controllability,andagility.Thismeansthatyoucanhavethesecurityyouneed,butwithoutthecapitaloutlayandatamuchloweroperationaloverheadthaninanon-premisesoratraditionaldatacenterenvironment.ThischapterwillcovertherelevantsecuritytopicsthatarewithinscopeoftheAWSCertifiedSolutionsArchitect–Associateexam.

SharedResponsibilityModelBeforewegointothedetailsofhowAWSsecuresitsresources,weshouldtalkabouthowsecurityinthecloudisslightlydifferentthansecurityinyouron-premisesdatacenters.Whenyoumovecomputersystemsanddatatothecloud,securityresponsibilitiesbecomesharedbetweenyouandyourcloudserviceprovider.Inthiscase,AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.Thissharedresponsibilitymodelcanreduceyouroperationalburdeninmanyways,andinsomecasesitmayevenimproveyourdefaultsecurityposturewithoutadditionalactiononyourpart.Figure12.1illustratesAWSresponsibilitiesversusthoseofthecustomer.Essentially,AWSisresponsibleforsecurityofthecloud,andcustomersareresponsibleforsecurityinthecloud.

FIGURE12.1Thesharedresponsibilitymodel

AWSComplianceProgramAWScomplianceenablescustomerstounderstandtherobustcontrolsinplaceatAWStomaintainsecurityanddataprotectioninthecloud.AsyoubuildsystemsontopofAWSCloudinfrastructure,yousharecomplianceresponsibilitieswithAWS.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWScomplianceenablersbuildontraditionalprograms,helpingyoutoestablishandoperateinanAWSsecuritycontrolenvironment.TheITinfrastructurethatAWSprovidesisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards,including(atthetimeofthiswriting):

ServiceOrganizationControl(SOC)1/StatementonStandardsforAttestationEngagements(SSAE)16/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE)3402(formerlyStatementonAuditingStandards[SAS]70)

SOC2

SOC3

FederalInformationSecurityManagementAct(FISMA),DepartmentofDefense(DoD)InformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)

DoDCloudComputingSecurityRequirementsGuide(SRG)Levels2and4

PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1

InternationalOrganizationforStandardization(ISO)9001andISO27001

InternationalTrafficinArmsRegulations(ITAR)

FederalInformationProcessingStandard(FIPS)140-2

Inaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeetseveralindustry-specificstandards,including:

CriminalJusticeInformationServices(CJIS)

CloudSecurityAlliance(CSA)

FamilyEducationalRightsandPrivacyAct(FERPA)

HealthInsurancePortabilityandAccountabilityAct(HIPAA)

MotionPictureAssociationofAmerica(MPAA)

AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,reports,certifications,accreditations,andotherthird-partyattestations.ToaidinpreparationforyourAWSCertifiedSolutionsArchitectAssociateexam,seeChapter13,“AWSRiskandCompliance.”Moreinformationisavailableinthe“AWSRiskandCompliance”whitepaperavailableontheAWSwebsite.

AWSGlobalInfrastructureSecurityAWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchasprocessingandstorage.TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperationalsoftware(forexample,hostoperatingsystemandvirtualizationsoftware)thatsupporttheprovisioninganduseoftheseresources.TheAWSglobalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecuritycompliancestandards.AsanAWScustomer,youcanbeassuredthatyou’rebuildingwebarchitecturesontopofsomeofthemostsecurecomputinginfrastructureintheworld.

PhysicalandEnvironmentalSecurityAWSdatacentersarestateoftheart,usinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffusingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.

AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAWS.AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.

FireDetectionandSuppressionAWSdatacentershaveautomaticfiredetectionandsuppressionequipmenttoreducerisk.Thefiredetectionsystemusessmokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerroomsandgeneratorequipmentrooms.Theseareasareprotectedbywet-pipe,double-interlockedpre-action,orgaseoussprinklersystems.

PowerAWSdatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,and7daysaweek.UninterruptiblePowerSupply(UPS)unitsprovidebackuppowerintheeventofanelectricalfailureforcriticalandessentialloadsinthefacility.AWSdatacentersusegeneratorstoprovidebackuppowerfortheentirefacility.

ClimateandTemperatureClimatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,whichpreventsoverheatingandreducesthepossibilityofserviceoutages.

AWSdatacentersarebuilttomaintainatmosphericconditionsatoptimallevels.Personnelandsystemsmonitorandcontroltemperatureandhumidityatappropriatelevels.

ManagementAWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediatelyidentified.AWSstaffperformspreventativemaintenancetomaintainthecontinuedoperabilityofequipment.

StorageDeviceDecommissioningWhenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatisdesignedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.

BusinessContinuityManagementAmazon’sinfrastructurehasahighlevelofavailabilityandprovidescustomerswiththefeaturestodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.DatacenterBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.

AvailabilityDatacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris“cold.”Incaseoffailure,automatedprocessesmovedatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.

AWSprovidesitscustomerswiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsandalsoacrossmultipleAvailabilityZoneswithineachregion.EachAvailabilityZoneisdesignedasanindependentfailurezone.ThismeansthatAvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlowerriskfloodplains(specificfloodzonecategorizationvariesbyregion).InadditiontohavingdiscreteUPSandon-sitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiestofurtherreducesinglepointsoffailure.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.Figure12.2illustrateshowAWSregionsarecomprisedofAvailabilityZones.

FIGURE12.2AmazonWebServicesregions

YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.

IncidentResponseTheAmazonIncidentManagementteamemploysindustry-standarddiagnosticprocedurestodriveresolutionduringbusiness-impactingevents.Staffoperatorsprovide24×7×365coveragetodetectincidentsandtomanagetheimpactandresolution.

CommunicationAWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheirindividualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.Thesemethodsincludeorientationandtrainingprogramsfornewlyhiredemployees,regularmanagementmeetingsforupdatesonbusinessperformanceandothermatters,andelectronicsmeanssuchasvideoconferencing,electronicmailmessages,andthepostingofinformationviatheAmazonintranet.

AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthecommunity.Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthatimpactthecustomerexperience.AServiceHealthDashboardisavailableandmaintainedbythecustomersupportteamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.TheAWSSecurityCenterisavailableto

provideyouwithsecurityandcompliancedetailsaboutAWS.CustomerscanalsosubscribetoAWSSupportofferingsthatincludedirectcommunicationwiththecustomersupportteamandproactivealertstoanycustomer-impactingissues.

NetworkSecurityTheAWSnetworkhasbeenarchitectedtopermityoutoselectthelevelofsecurityandresiliencyappropriateforyourworkload.Toenableyoutobuildgeographicallydispersed,fault-tolerantwebarchitectureswithcloudresources,AWShasimplementedaworld-classnetworkinfrastructurethatiscarefullymonitoredandmanaged.

SecureNetworkArchitectureNetworkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACLs),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.

ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.Thesepoliciesareautomaticallypushedtoensurethesemanagedinterfacesenforcethemostup-to-dateACLs.

SecureAccessPointsAWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledApplicationProgrammingInterface(API)endpoints,andtheypermitsecureHTTPaccess(HTTPS),whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.TosupportcustomerswithFederalInformationProcessingStandard(FIPS)cryptographicrequirements,theSecureSocketsLayer(SSL)-terminatingloadbalancersinAWSGovCloud(US)areFIPS140-2compliant.

Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachInternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.

TransmissionProtectionYoucanconnecttoanAWSaccesspointviaHTTPorHTTPSusingSSL,acryptographicprotocolthatisdesignedtoprotectagainsteavesdropping,tampering,andmessageforgery.Forcustomerswhorequireadditionallayersofnetworksecurity,AWSofferstheAmazonVirtualPrivateCloud(AmazonVPC)(asreferencedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC),”whichprovidesaprivatesubnetwithintheAWSCloudandtheabilitytouseanIPsecVirtualPrivateNetwork(VPN)devicetoprovideanencryptedtunnelbetweentheAmazonVPCandyourdatacenter.

NetworkMonitoringandProtection

TheAWSnetworkprovidessignificantprotectionagainsttraditionalnetworksecurityissues,andyoucanimplementfurtherprotection.Thefollowingareafewexamples:

DistributedDenialofService(DDoS)AttacksAWSAPIendpointsarehostedonalarge,Internet-scale,world-classinfrastructurethatbenefitsfromthesameengineeringexpertisethathasbuiltAmazonintotheworld’slargestonlineretailer.ProprietaryDDoSmitigationtechniquesareused.Additionally,AWSnetworksaremulti-homedacrossanumberofproviderstoachieveInternetaccessdiversity.

ManintheMiddle(MITM)AttacksAlloftheAWSAPIsareavailableviaSSL-protectedendpointsthatprovideserverauthentication.AmazonElasticComputeCloud(AmazonEC2)AMIsautomaticallygeneratenewSecureShell(SSH)hostcertificatesonfirstbootandlogthemtotheinstance’sconsole.YoucanthenusethesecureAPIstocalltheconsoleandaccessthehostcertificatesbeforeloggingintotheinstanceforthefirsttime.AWSencouragesyoutouseSSLforallofyourinteractions.

IPSpoofingAmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMachineAccessControl(MAC)addressotherthanitsown.

PortScanningUnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.CustomerscanreportsuspectedabuseviathecontactsavailableontheAWSwebsite.WhenunauthorizedportscanningisdetectedbyAWS,itisstoppedandblocked.PortscansofAmazonEC2instancesaregenerallyineffectivebecause,bydefault,allinboundportsonAmazonEC2instancesareclosedandareonlyopenedbythecustomer.Strictmanagementofsecuritygroupscanfurthermitigatethethreatofportscans.Ifyouconfigurethesecuritygrouptoallowtrafficfromanysourcetoaspecificport,thatspecificportwillbevulnerabletoaportscan.Inthesecases,youmustuseappropriatesecuritymeasurestoprotectlisteningservicesthatmaybeessentialtotheirapplicationfrombeingdiscoveredbyanunauthorizedportscan.Forexample,awebservermustclearlyhaveport80(HTTP)opentotheworld,andtheadministratorofthisserverisresponsibleforthesecurityoftheHTTPserversoftware,suchasApache.Youmayrequestpermissiontoconductvulnerabilityscansasrequiredtomeetyourspecificcompliancerequirements.ThesescansmustbelimitedtoyourowninstancesandmustnotviolatetheAWSAcceptableUsePolicy.AdvancedapprovalforthesetypesofscanscanbeinitiatedbysubmittingarequestviatheAWSwebsite.

PacketSniffingbyOtherTenantsWhileyoucanplaceyourinterfacesintopromiscuousmode,thehypervisorwillnotdeliveranytraffictothemthatisnotaddressedtothem.Eventwovirtualinstancesthatareownedbythesamecustomerlocatedonthesamephysicalhostcannotlistentoeachother’straffic.WhileAmazonEC2doesprovideampleprotectionagainstonecustomerinadvertentlyormaliciouslyattemptingtoviewanothercustomer’sdata,asastandardpracticeyoushouldencryptsensitivetraffic.

Itisnotpossibleforavirtualinstancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.

AttackssuchasAddressResolutionProtocol(ARP)cachepoisoningdonotworkwithinAmazonEC2andAmazonVPC.

AWSAccountSecurityFeaturesAWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSaccountandresourcessafefromunauthorizeduse.Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,thecreationofseparateAWSIdentityandAccessManagement(IAM)useraccounts,anduseractivityloggingforsecuritymonitoring.YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSservicesyouselect.

AWSCredentialsTohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources,AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMulti-FactorAuthentication(MFA)tologintoyourAWSAccountorIAMuseraccounts.Table12.1highlightsthevariousAWScredentialsandtheiruses.

TABLE12.1AWSCredentials

CredentialType

Use Description

Passwords AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole

AstringofcharactersusedtologintoyourAWSaccountorIAMaccount.AWSpasswordsmustbeaminimumof6charactersandmaybeupto128characters.

Multi-FactorAuthentication(MFA)

AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole

Asix-digit,single-usecodethatisrequiredinadditiontoyourpasswordtologintoyourAWSaccountorIAMuseraccount.

AccessKeys Digitally-signedrequeststoAWSAPIs(usingtheAWSSoftwareDevelopmentKit[SDK],CommandLineInterface[CLI],orREST/QueryAPIs)

IncludesanaccesskeyIDandasecretaccesskey.YouuseaccesskeystosignprogrammaticrequestsdigitallythatyoumaketoAWS.

KeyPairs SSHlogintoAmazonEC2instancesAmazonCloudFront-signedURLs

AkeypairisrequiredtoconnecttoanAmazonEC2instancelaunchedfromapublicAMI.ThekeysthatAmazonEC2usesare1024-bitSSH-2RSAkeys.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstance,oryoucanuploadyourown.

X.509Certificates

DigitallysignedSOAPrequeststoAWSAPIsSSLservercertificatesforHTTPS

X.509certificatesareonlyusedtosignSOAP-basedrequests(currentlyusedonlywithAmazonSimpleStorageService[AmazonS3]).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.

Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorre-downloadthem.However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.Tohelpyoudothiswithoutpotentialimpacttoyourapplication’savailability,AWSsupportsmultipleconcurrentaccesskeysandcertificates.Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetoyourapplication.Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.

TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSaccountandalsoforIAMuseraccounts.

PasswordsPasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWS

DiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,givingyoutheabilitytocreateverystrongpasswords.

YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyarechangedoften.ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.

AWSMulti-FactorAuthentication(AWSMFA)AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.ThisisMFAbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).YoucanenableMFAdevicesforyourAWSaccountandfortheusersyouhavecreatedunderyourAWSaccountwithAWSIAM.Inaddition,youcanaddMFAprotectionforaccessacrossAWSaccounts,forwhenyouwanttoallowauseryou’vecreatedunderoneAWSaccounttouseanIAMroletoaccessresourcesunderanotherAWSaccount.YoucanrequiretheusertouseMFAbeforeassumingtheroleasanadditionallayerofsecurity.

AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.VirtualMFAdevicesusethesameprotocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTime-BasedOne-TimePassword(TOTP)standard,asdescribedinRFC6238.MostvirtualMFAapplicationsallowyoutohostmorethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.However,youshouldbeawarethatbecauseavirtualMFAmayberunonalesssecuredevicesuchasasmartphone,avirtualMFAmightnotprovidethesamelevelofsecurityasahardwareMFAdevice.

YoucanalsoenforceMFAauthenticationforAWSCloudserviceAPIsinordertoprovideanextralayerofprotectionoverpowerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.YoudothisbyaddinganMFArequirementtoanIAMaccesspolicy.YoucanattachtheseaccesspoliciestoIAMusers,IAMgroups,orresourcesthatsupportACLslikeAmazonS3buckets,AmazonSimpleQueueService(AmazonSQS)queues,andAmazonSimpleNotificationService(AmazonSNS)topics.

AccessKeysAccesskeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.

Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisintransit,butitalsohelpsprotectagainstpotentialreplayattacks.ArequestmustreachAWSwithin15minutesofthetimestampintherequest.Otherwise,AWSdeniestherequest.

ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHashedMessageAuthenticationMode(HMAC)-SecureHashAlgorithm(SHA)-256protocol.Version4providesanadditionalmeasureofprotectionoverpreviousversionsbyrequiringthatyousignthemessageusingakeythatisderivedfromyourSAKinsteadofusingtheSAKitself.Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographicisolationofthesigningkey.

Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandtonotembedtheminyourcode.ForcustomerswithlargefleetsofelasticallyscalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.

IAMrolesprovidetemporarycredentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultipletimesaday.

AmazonEC2usesanInstanceProfileasacontainerforanIAMrole.WhenyoucreateanIAMroleusingtheAWSManagementConsole,theconsolecreatesaninstanceprofileautomaticallyandgivesitthesamenameastheroletowhichitcorresponds.IfyouusetheAWSCLI,API,oranAWSSDKtocreatearole,youcreatetheroleandinstanceprofileasseparateactions,andyoumightgivethemdifferentnames.TolaunchaninstancewithanIAMrole,youspecifythenameofitsinstanceprofile.WhenyoulaunchaninstanceusingtheAmazonEC2console,youcanselectaroletoassociatewiththeinstance;however,thelistthat’sdisplayedisactuallyalistofinstanceprofilenames.

KeypairsAmazonEC2supportsRSA2048SSHkeysforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.Thepublickeyisembeddedinyourinstance,andyouusetheprivatekeytosigninsecurelywithoutapassword.AfteryoucreateyourownAMIs,youcanchooseothermechanismstologintoyournewinstancessecurely.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstanceoryoucanuploadyourown.Savetheprivatekeyinasafeplaceonyoursystemandrecordthelocationwhereyousavedit.

ForAmazonCloudFront,youusekeypairstocreatesignedURLsforprivatecontent,suchaswhenyouwanttodistributerestrictedcontentthatsomeonepaidfor.YoucreateAmazonCloudFrontkeypairsbyusingtheSecurityCredentialspage.AmazonCloudFrontkeypairscanbecreatedonlybytherootaccountandcannotbecreatedbyIAMusers.

X.509CertificatesX.509certificatesareusedtosignSOAP-basedrequests.X.509certificatescontainapublickeythatisassociatedwithaprivatekey.Whenyoucreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,alongwithyourcertificate.AWSverifiesthatyou’rethesenderbydecryptingthesignaturewiththepublickeythatisinyourcertificate.AWSalsoverifiesthatthecertificatethatyousentmatchesthecertificatethatyouuploadedtoAWS.

ForyourAWSaccount,youcanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.ForIAMusers,youmustcreatetheX.509certificate(signingcertificate)byusingthird-partysoftware.Incontrasttorootaccountcredentials,AWScannotcreateanX.509certificateforIAMusers.Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.

InadditiontoSOAPrequests,X.509certificatesareusedasSSL/TransportLayerSecurity(TLS)servercertificatesforcustomerswhowanttouseHTTPStoencrypttheirtransmissions.TousethemforHTTPS,youcanuseanopen-sourcetoollikeOpenSSLtocreateauniqueprivatekey.You’llneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoaCertificateAuthority(CA)toobtaintheservercertificate.You’llthenusetheAWSCLItouploadthecertificate,privatekey,andcertificatechaintoIAM.

YouwillalsoneedanX.509certificatetocreateacustomizedLinuxAMIforAmazonEC2instances.Thecertificateisonlyrequiredtocreateaninstance-backedAMI(asopposedtoanAmazonElasticBlockStore[AmazonEBS]-backedAMI).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.

AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsthefollowinginformationabouteachAPIcall:

ThenameoftheAPI

Theidentityofthecaller

ThetimeoftheAPIcall

Therequestparameters

TheresponseelementsreturnedbytheAWSCloudservice

ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.

AWSCloudTrailsupportslogfileintegrity,whichmeansyoucanprovetothirdparties(forexample,auditors)thatthelogfilesentbyAWSCloudTrailhasnotbeenaltered.Validatedlogfilesareinvaluableinsecurityandforensicinvestigations.Thisfeatureisbuiltusing

industrystandardalgorithms:SHA-256forhashingandSHA-256withRSAfordigitalsigning.Thismakesitcomputationallyunfeasibletomodify,delete,orforgeAWSCloudTraillogfileswithoutdetection.

AWSCloudService-SpecificSecurityNotonlyissecuritybuiltintoeverylayeroftheAWSinfrastructure,butalsointoeachoftheservicesavailableonthatinfrastructure.AWSCloudservicesarearchitectedtoworkefficientlyandsecurelywithallAWSnetworksandplatforms.Eachserviceprovidesadditionalsecurityfeaturestoenableyoutoprotectsensitivedataandapplications.

ComputeServicesAWSprovidesavarietyofcloud-basedcomputingservicesthatincludeawideselectionofcomputeinstancesthatcanscaleupanddownautomaticallytomeettheneedsofyourapplicationorenterprise.

AmazonElasticComputeCloud(AmazonEC2)SecurityAmazonEC2isakeycomponentinAmazon’sInfrastructureasaService(IaaS),providingresizablecomputingcapacityusingserverinstancesinAWSdatacenters.AmazonEC2isdesignedtomakeweb-scalecomputingeasierbyenablingyoutoobtainandconfigurecapacitywithminimalfriction.Youcreateandlaunchinstances,whicharecollectionsofplatformhardwareandsoftware.

MultipleLevelsofSecuritySecuritywithinAmazonEC2isprovidedonmultiplelevels:theoperatingsystem(OS)ofthehostplatform,thevirtualinstanceOSorguestOS,afirewall,andsignedAPIcalls.Eachoftheseitemsbuildsonthecapabilitiesoftheothers.ThegoalistopreventdatacontainedwithinAmazonEC2frombeinginterceptedbyunauthorizedsystemsorusersandtomakeAmazonEC2instancesthemselvesassecureaspossiblewithoutsacrificingtheflexibilityinconfigurationthatcustomersdemand.

TheHypervisorAmazonEC2currentlyusesahighlycustomizedversionoftheXenhypervisor,takingadvantageofparavirtualization(inthecaseofLinuxguests).Becauseparavirtualizedguestsrelyonthehypervisortoprovidesupportforoperationsthatnormallyrequireprivilegedaccess,theguestOShasnoelevatedaccesstotheCPU.TheCPUprovidesfourseparateprivilegemodes:0–3,calledrings.Ring0isthemostprivilegedand3theleast.ThehostOSexecutesinRing0.However,insteadofexecutinginRing0asmostOSsdo,theguestOSrunsinlesser-privilegedRing1,andapplicationsintheleastprivilegedinRing3.Thisexplicitvirtualizationofthephysicalresourcesleadstoaclearseparationbetweenguestandhypervisor,resultinginadditionalsecurityseparationbetweenthetwo.

InstanceIsolationDifferentinstancesrunningonthesamephysicalmachineareisolatedfromeachotherviatheXenhypervisor.AmazonisactiveintheXencommunity,whichprovidesAWSwithawarenessofthelatestdevelopments.Inaddition,theAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance’svirtualinterface.Allpacketsmustpassthroughthislayer;thus,aninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternetandcanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Customerinstanceshavenoaccesstorawdiskdevices,butinsteadarepresentedwithvirtualizeddisks.TheAWSproprietarydiskvirtualizationlayerautomaticallyresetseveryblockofstorageusedbythecustomer,sothatonecustomer’sdataisnever

unintentionallyexposedtoanothercustomer.Inaddition,memoryallocatedtoguestsisscrubbed(settozero)bythehypervisorwhenitisunallocatedtoaguest.Thememoryisnotreturnedtothepooloffreememoryavailablefornewallocationsuntilthememoryscrubbingiscompleted.Figure12.3depictsinstanceisolationwithinAmazonEC2.

FIGURE12.3AmazonEC2multiplelayersofsecurity

HostOperatingSystemAdministratorswithabusinessneedtoaccessthemanagementplanearerequiredtouseMFAtogainaccesstopurpose-builtadministrationhosts.Theseadministrativehostsaresystemsthatarespecificallydesigned,built,configured,andhardenedtoprotectthemanagementplaneofthecloud.Allsuchaccessisloggedandaudited.Whenanemployeenolongerhasabusinessneedtoaccessthemanagementplane,theprivilegesandaccesstothesehostsandrelevantsystemscanberevoked.

GuestOperatingSystemVirtualinstancesarecompletelycontrolledbyyou,thecustomer.Youhavefullrootaccessoradministrativecontroloveraccounts,services,andapplications.AWSdoesnothaveanyaccessrightstoyourinstancesortheguestOS.AWSrecommendsabasesetofsecuritybestpracticestoincludedisablingpassword-onlyaccesstoyourguests,andusingsomeformofMFAtogainaccesstoyourinstances(orataminimumcertificate-basedSSHVersion2access).Additionally,youshouldemployaprivilegeescalationmechanismwithloggingonaper-userbasis.Forexample,iftheguestOSisLinux,afterhardening,yourinstanceyoushouldusecertificate-basedSSHv2toaccessthevirtualinstance,disableremoterootlogin,usecommand-linelogging,andusesudoforprivilegeescalation.YoushouldgenerateyourownkeypairsinordertoguaranteethattheyareuniqueandnotsharedwithothercustomersorwithAWS.AWSalsosupportstheuseoftheSSHnetworkprotocoltoenableyoutologinsecurelytoyourUNIX/LinuxAmazonEC2instances.

AuthenticationforSSHusedwithAWSisviaapublic/privatekeypairtoreducetheriskofunauthorizedaccesstoyourinstance.YoucanalsoconnectremotelytoyourWindowsinstancesusingRemoteDesktopProtocol(RDP)byusinganRDPcertificategeneratedforyourinstance.YoualsocontroltheupdatingandpatchingofyourguestOS,includingsecurityupdates.Amazon-providedWindowsandLinux-basedAMIsareupdatedregularlywiththelatestpatches,soifyoudonotneedtopreservedataorcustomizationsonyourrunningAmazonAMIinstances,youcansimplyrelaunchnewinstanceswiththelatestupdatedAMI.Inaddition,updatesareprovidedfortheAmazonLinuxAMIviatheAmazonLinuxyumrepositories.

FirewallAmazonEC2providesamandatoryinboundfirewallthatisconfiguredinadefaultdeny-allmode;AmazonEC2customersmustexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficmayberestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting[CIDR]block).

Thefirewallcanbeconfiguredingroups,permittingdifferentclassesofinstancestohavedifferentrules.Consider,forexample,thecaseofatraditionalthree-tieredwebapplication.Thegroupforthewebserverswouldhaveport80(HTTP)and/orport443(HTTPS)opentotheInternet.Thegroupfortheapplicationserverswouldhaveport8000(applicationspecific)accessibleonlytothewebservergroup.Thegroupforthedatabaseserverswouldhaveport3306(MySQL)openonlytotheapplicationservergroup.Allthreegroupswouldpermitadministrativeaccessonport22(SSH),butonlyfromthecustomer’scorporatenetwork.Highlysecureapplicationscanbedeployedusingthisapproach,whichisalsodepictedinFigure12.4.

FIGURE12.4AmazonEC2securitygroupfirewall

Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewallandVPNs.Thiscanrestrictbothinboundandoutboundtraffic.

Thedefaultstateistodenyallincomingtraffic,andyoushouldcarefullyplanwhatyouwillopenwhenbuildingandsecuringyourapplications.

APIAccessAPIcallstolaunchandterminateinstances,changefirewallparameters,andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonEC2APIcallscannotbemadeonyourbehalf.APIcallscanalsobeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.

AmazonElasticBlockStorage(AmazonEBS)SecurityAmazonEBSallowsyoutocreatestoragevolumesfrom1GBto16TBthatcanbemountedasdevicesbyAmazonEC2

instances.Storagevolumesbehavelikeraw,unformattedblockdevices,withuser-supplieddevicenamesandablockdeviceinterface.YoucancreateafilesystemontopofAmazonEBSvolumesorusetheminanyotherwayyouwoulduseablockdevice(likeaharddrive).AmazonEBSvolumeaccessisrestrictedtotheAWSaccountthatcreatedthevolumeandtotheusersundertheAWSaccountcreatedwithAWSIAM(iftheuserhasbeengrantedaccesstotheEBSoperations).AllotherAWSaccountsandusersaredeniedthepermissiontovieworaccessthevolume.

DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationsaspartofnormaloperationofthoseservicesandatnoadditionalcharge.However,AmazonEBSreplicationisstoredwithinthesameAvailabilityZone,notacrossmultiplezones;therefore,itishighlyrecommendedthatyouconductregularsnapshotstoAmazonS3forlong-termdatadurability.ForcustomerswhohavearchitectedcomplextransactionaldatabasesusingAmazonEBS,itisrecommendedthatbackupstoAmazonS3beperformedthroughthedatabasemanagementsystemsothatdistributedtransactionsandlogscanbecheckpointed.AWSdoesnotautomaticallyperformbackupsofdatathataremaintainedonvirtualdisksattachedtorunninginstancesonAmazonEC2.

YoucanmakeAmazonEBSvolumesnapshotspubliclyavailabletootherAWSaccountstouseasthebasisforcreatingduplicatevolumes.SharingAmazonEBSvolumesnapshotsdoesnotprovideotherAWSaccountswiththepermissiontoalterordeletetheoriginalsnapshot,asthatrightisexplicitlyreservedfortheAWSaccountthatcreatedthevolume.AnAmazonEBSsnapshotisablock-levelviewofanentireAmazonEBSvolume.Notethatdatathatisnotvisiblethroughthefilesystemonthevolume,suchasfilesthathavebeendeleted,maybepresentintheAmazonEBSsnapshot.Ifyouwanttocreatesharedsnapshots,youshoulddosocarefully.Ifavolumehasheldsensitivedataorhashadfilesdeletedfromit,youshouldcreateanewAmazonEBSvolumetoshare.Thedatatobecontainedinthesharedsnapshotshouldbecopiedtothenewvolume,andthesnapshotcreatedfromthenewvolume.

AmazonEBSvolumesarepresentedtoyouasrawunformattedblockdevicesthathavebeenwipedpriortobeingmadeavailableforuse.Wipingoccursimmediatelybeforereusesothatyoucanbeassuredthatthewipeprocessiscompleted.Ifyouhaveproceduresrequiringthatalldatabewipedviaaspecificmethod,youhavetheabilitytodosoonAmazonEBS.Youshouldconductaspecializedwipeprocedurepriortodeletingthevolumeforcompliancewithyourestablishedrequirements.

Encryptionofsensitivedataisgenerallyagoodsecuritypractice,andAWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAdvancedEncryptionStandard(AES)-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.Inordertobeabletodothisefficientlyandwithlowlatency,theAmazonEBSencryptionfeatureisonlyavailableonAmazonEC2’smorepowerfulinstancetypes.

NetworkingAWSprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthatyoudefine,establishaprivatenetworkconnectiontotheAWSCloud,useahighlyavailableandscalableDomainNameSystem(DNS)service,anddelivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliveryweb

service.

ElasticLoadBalancingSecurityElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallAvailabilityZoneswithinaregion.ElasticLoadBalancinghasalloftheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefits:

TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyontheloadbalancer.

Offersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyournetwork.

WhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyourElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptions.

Supportsend-to-endtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP(HTTPS)connections.WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbemanagedcentrallyontheloadbalancer,insteadofoneveryindividualinstance.

HTTPS/TLSusesalong-termsecretkeytogenerateashort-termsessionkeytobeusedbetweentheserverandthebrowsertocreatetheencryptedmessage.ElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(forexample,PaymentCardIndustryDataSecurityStandard[PCIDSS],Sarbanes-OxleyAct[SOX])fromclientstoensurethatstandardsaremet.Inthesecases,ElasticLoadBalancingprovidesoptionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.Youcanchoosetoenableordisabletheciphersdependingonyourspecificrequirements.

Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfiguretheloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclient-servernegotiation.WhentheServerOrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserver’sprioritizationofciphersuitesinsteadoftheclient’s.Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnecttoyourloadbalancer.

Forevengreatercommunicationprivacy,ElasticLoadBalancingallowstheuseofPerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.Thispreventsthedecodingofcaptureddata,evenifthesecretlong-termkeyitselfiscompromised.

ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.Typically,clientconnectioninformation,suchasIPaddressandport,islostwhenrequestsareproxiedthroughaloadbalancer.Thisisbecausetheloadbalancersendsrequeststotheserveron

behalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.HavingtheoriginatingclientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnectionstatistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.

ElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourloadbalancer.ThisincludestheIPaddressandportoftherequestingclient,theback-endIPaddressoftheinstancethatprocessedtherequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,GEThttp://www.example.com:80/HTTP/1.1).Allrequestssenttotheloadbalancerarelogged,includingrequeststhatnevermakeittoback-endinstances.

AmazonVirtualPrivateCloud(AmazonVPC)SecurityNormally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2addressspace.AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice(forexample,10.0.0.0/16).YoucandefinesubnetswithinyourAmazonVPC,groupingsimilarkindsofinstancesbasedonIPaddressrangeandthensetuproutingandsecuritytocontroltheflowoftrafficinandoutoftheinstancesandsubnets.

SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.AmazonEC2instancesrunningwithinanAmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.Note,however,thatyoumustcreatesecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2securitygroupsyouhavecreatedwillnotworkinsideyourAmazonVPC.Inaddition,AmazonVPCsecuritygroupshaveadditionalcapabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupaftertheinstanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,UserDatagramProtocol[UDP],orInternetControlMessageProtocol[ICMP]).

EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolatedfromallotherAmazonVPCs.Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.YoumaycreateandattachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothefollowingcontrols.

APIAccessCallstocreateanddeleteAmazonVPCs;changerouting,securitygroup,andnetworkACLparameters;andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonVPCAPIcallscannotbemadeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.AWSIAMalsoenablesacustomertofurthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.

SubnetsandRouteTablesYoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedintheAmazonVPCisconnectedtoonesubnet.TraditionalLayer2

http://http://www.example.com

securityattacks,includingMACspoofingandARPspoofing,areblocked.EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessedbytheroutingtabletodeterminethedestination.

Firewall(SecurityGroups)LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolution,enablingfilteringonbothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIPprotocol,byserviceport,andsource/destinationIPaddress(individualIPorCIDRblock).Thefirewallisn’tcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewall.Figure12.5illustratesanAmazonVPCwithtwotypesofsubnets—publicandprivate—andtwonetworkpathswithtwodifferentnetworks—acustomerdatacenterandtheInternet.

FIGURE12.5AmazonVPCnetworkarchitecture

NetworkACLsToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.TheseACLscancontainorderedrulestoallowordenytrafficbasedonIPprotocol,byserviceport,andsource/destinationIPaddress.

Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionandenablingadditionalsecuritythroughseparationofduties.Figure12.6depictshowthesecuritycontrolsaboveinterrelatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.

FIGURE12.6Flexiblenetworkarchitectures

VirtualPrivateGatewayAvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanothernetwork.Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtualprivategateways.YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyourpremises.EachconnectionissecuredbyapresharedkeyinconjunctionwiththeIPaddressofthecustomergatewaydevice.

InternetGatewayAnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,otherAWSservices,andtheInternet.EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithitorroutetrafficthroughaNetwork

AddressTranslation(NAT)instance.Additionally,networkroutesareconfiguredtodirecttraffictotheInternetgateway(seeFigure12.6).AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacketinspection,applicationlayerfiltering,orothersecuritycontrols.

ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,enablingyoutoimplementadditionalsecuritythroughseparationofduties.

DedicatedInstancesWithinanAmazonVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(thatis,theywillrunonsingle-tenanthardware).AnAmazonVPCcanbecreatedwith“dedicated”tenancy,sothatallinstanceslaunchedintotheAmazonVPCwillusethisfeature.Alternatively,anAmazonVPCmaybecreatedwith“default”tenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.

AmazonCloudFrontSecurityAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.Requestsforcustomers’objectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformance.AmazonCloudFrontisoptimizedtoworkwithotherAWSserviceslikeAmazonS3,AmazonEC2,ElasticLoadBalancing,andAmazonRoute53.Italsoworksseamlesslywithanynon-AWSoriginserverthatstorestheoriginal,definitiveversionsofyourfiles.

AmazonCloudFrontrequiresthateveryrequestmadetoitscontrolAPIisauthenticatedsoonlyauthorizeduserscancreate,modify,ordeletetheirownAmazonCloudFrontdistributions.RequestsaresignedwithanHMAC-SHA-1signaturecalculatedfromtherequestandtheuser’sprivatekey.Additionally,theAmazonCloudFrontcontrolAPIisonlyaccessibleviaSSL-enabledendpoints.

ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.Theservicemaysometimesremoveobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.DurabilityisprovidedbyAmazonS3,whichworksastheoriginserverforAmazonCloudFrontbyholdingtheoriginal,definitivecopiesofobjectsdeliveredbyAmazonCloudFront.

IfyouwantcontroloverwhocandownloadcontentfromAmazonCloudFront,youcanenabletheservice’sprivatecontentfeature.Thisfeaturehastwocomponents.ThefirstcontrolshowcontentisdeliveredfromtheAmazonCloudFrontedgelocationtoviewersontheInternet.ThesecondcontrolshowtheAmazonCloudFrontedgelocationsaccessobjectsinAmazonS3.AmazonCloudFrontalsosupportsgeorestriction,whichrestrictsaccesstoyourcontentbasedonthegeographiclocationofyourviewers.

TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.WhenanOriginAccessIdentityisassociatedwithanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.YoucanthenuseAmazonS3’sACLfeature,whichlimitsaccesstothatOriginAccessIdentityso

theoriginalcopyoftheobjectisnotpubliclyreadable.

TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.Tousethissystem,youfirstcreateapublic-privatekeypairanduploadthepublickeytoyouraccountviatheAWSManagementConsole.YouthenconfigureyourAmazonCloudFrontdistributiontoindicatewhichaccountsyouwouldauthorizetosignrequests—youcanindicateuptofiveAWSaccountsthatyoutrusttosignrequests.Asyoureceiverequests,youwillcreatepolicydocumentsindicatingtheconditionsunderwhichyouwantAmazonCloudFronttoserveyourcontent.Thesepolicydocumentscanspecifythenameoftheobjectthatisrequested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.YouthencalculatetheSHA-1hashofyourpolicydocumentandsignthisusingyourprivatekey.Finally,youincludeboththeencodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.WhenAmazonCloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.AmazonCloudFrontwillonlyserverequeststhathaveavalidpolicydocumentandmatchingsignature.

NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourAmazonCloudFrontdistribution.Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.

AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).Bydefault,AmazonCloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.However,youcanalsoconfigureAmazonCloudFronttorequireHTTPSforallrequestsorhaveAmazonCloudFrontredirectHTTPrequeststoHTTPS.YoucanevenconfigureAmazonCloudFrontdistributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.

StorageAWSprovideslow-costdatastoragewithhighdurabilityandavailability.AWSoffersstoragechoicesforbackup,archiving,anddisasterrecovery,andalsoforblockandobjectstorage.

AmazonSimpleStorageService(AmazonS3)SecurityAmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AmazonS3storesdataasobjectswithinbuckets.Anobjectcanbeanykindoffile:atextfile,aphoto,avideo,andmore.WhenyouaddafiletoAmazonS3,youhavetheoptionofincludingmetadatawiththefileandsettingpermissionstocontrolaccesstothefile.Foreachbucket,youcancontrolaccesstothebucket(whocancreate,delete,andlistobjectsinthebucket),viewaccesslogsforthebucketanditsobjects,andchoosethegeographicalregionwhereAmazonS3willstorethebucketanditscontents.

DataAccessAccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.(Notethatabucket/objectowneristheAWSaccountowner,nottheuserwhocreatedthebucket/object.)Therearemultiplewaystocontrolaccesstobucketsandobjects:

IAMPoliciesAWSIAMenablesorganizationswithmanyemployeestocreateandmanage

multipleusersunderasingleAWSaccount.IAMpoliciesareattachedtotheusers,enablingcentralizedcontrolofpermissionsforusersunderyourAWSaccounttoaccessbucketsorobjects.WithIAMpolicies,youcanonlygrantuserswithinyourownAWSaccountpermissiontoaccessyourAmazonS3resources.

ACLsWithinAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.WithACLs,youcanonlygrantotherAWSaccounts(notspecificusers)accesstoyourAmazonS3resources.

BucketPoliciesBucketpoliciesinAmazonS3canbeusedtoaddordenypermissionsacrosssomeoralloftheobjectswithinasinglebucket.Policiescanbeattachedtousers,groups,orAmazonS3buckets,enablingcentralizedmanagementofpermissions.Withbucketpolicies,youcangrantuserswithinyourAWSaccountorotherAWSaccountsaccesstoyourAmazonS3resources.

QueryStringAuthenticationYoucanuseaquerystringtoexpressarequestentirelyinaURL.Inthiscase,youusequeryparameterstoproviderequestinformation,includingtheauthenticationinformation.BecausetherequestsignatureispartoftheURL,thistypeofURLisoftenreferredtoasapre-signedURL.Youcanusepre-signedURLstoembedclickablelinks,whichcanbevalidforuptosevendays,inHTML.

Youcanfurtherrestrictaccesstospecificresourcesbasedoncertainconditions.Forexample,youcanrestrictaccessbasedonrequesttime(DateCondition),whethertherequestwassentusingSSL(BooleanConditions),arequester’sIPaddress(IPAddressCondition),ortherequester’sclientapplication(StringConditions).Toidentifytheseconditions,youusepolicykeys.

AmazonS3alsogivesdeveloperstheoptiontousequerystringauthentication,whichallowsthemtoshareAmazonS3objectsthroughURLsthatarevalidforapredefinedperiodoftime.QuerystringauthenticationisusefulforgivingHTTPforbrowseraccesstoresourcesthatwouldnormallyrequireauthentication.Thesignatureinthequerystringsecurestherequest.

DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonS3viatheSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.

DataStorageAmazonS3providesmultipleoptionsforprotectingdataatrest.Forcustomerswhoprefertomanagetheirownencryption,theycanuseaclientencryptionlibraryliketheAmazonS3EncryptionClienttoencryptdatabeforeuploadingtoAmazonS3.Alternatively,youcanuseAmazonS3ServerSideEncryption(SSE)ifyouprefertohaveAmazonS3managetheencryptionprocessforyou.DataisencryptedwithakeygeneratedbyAWSorwithakeyyousupply,dependingonyourrequirements.WithAmazonS3SSE,youcanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.Decryptionhappensautomaticallywhendataisretrieved.Notethatmetadata,whichyoucanincludewithyourobject,isnotencrypted.

AWSrecommendsthatcustomersnotplacesensitiveinformationinAmazonS3metadata.

AmazonS3SSEusesoneofthestrongestblockciphersavailable:AES-256.WithAmazonS3SSE,everyprotectedobjectisencryptedwithauniqueencryptionkey.Thisobjectkeyitselfisthenencryptedwitharegularlyrotatedmasterkey.AmazonS3SSEprovidesadditionalsecuritybystoringtheencrypteddataandencryptionkeysindifferenthosts.AmazonS3SSEalsomakesitpossibleforyoutoenforceencryptionrequirements.Forexample,youcancreateandapplybucketpoliciesthatrequirethatonlyencrypteddatacanbeuploadedtoyourbuckets.

WhenanobjectisdeletedfromAmazonS3,removalofthemappingfromthepublicnametotheobjectstartsimmediatelyandisgenerallyprocessedacrossthedistributedsystemwithinseveralseconds.Afterthemappingisremoved,thereisnoremoteaccesstothedeletedobject.Theunderlyingstorageareaisthenreclaimedforusebythesystem.

AmazonS3Standardisdesignedtoprovide99.999999999percentdurabilityofobjectsoveragivenyear.Thisdurabilitylevelcorrespondstoanaverageannualexpectedlossof0.000000001percentofobjects.Forexample,ifyoustore10,000objectswithAmazonS3,youcan,onaverage,expecttoincuralossofasingleobjectonceevery10,000,000years.Inaddition,AmazonS3isdesignedtosustaintheconcurrentlossofdataintwofacilities.

AccessLogsAnAmazonS3bucketcanbeconfiguredtologaccesstothebucketandobjectswithinit.Theaccesslogcontainsdetailsabouteachaccessrequestincludingrequesttype,therequestedresource,therequestor’sIP,andthetimeanddateoftherequest.Whenloggingisenabledforabucket,logrecordsareperiodicallyaggregatedintologfilesanddeliveredtothespecifiedAmazonS3bucket.

Cross-OriginResourceSharing(CORS)AWScustomerswhouseAmazonS3tohoststaticwebpagesorstoreobjectsusedbyotherwebpagescanloadcontentsecurelybyconfiguringanAmazonS3buckettoexplicitlyenablecross-originrequests.ModernbrowsersusetheSameOriginpolicytoblockJavaScriptorHTML5fromallowingrequeststoloadcontentfromanothersiteordomainasawaytohelpensurethatmaliciouscontentisnotloadedfromalessreputablesource(suchasduringcross-sitescriptingattacks).WiththeCross-OriginResourceSharing(CORS)policyenabled,assetssuchaswebfontsandimagesstoredinanAmazonS3bucketcanbesafelyreferencedbyexternalwebpages,stylesheets,andHTML5applications.

AmazonGlacierSecurityLikeAmazonS3,theAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.WhereAmazonS3isdesignedforrapidretrieval,however,AmazonGlacierismeanttobeusedasanarchivalservicefordatathatisnotaccessedoftenandforwhichretrievaltimesofseveralhoursaresuitable.

AmazonGlacierstoresfilesasarchiveswithinvaults.Archivescanbeanydatasuchasaphoto,video,ordocument,andcancontainoneorseveralfiles.Youcanstoreanunlimitednumberofarchivesinasinglevaultandcancreateupto1,000vaultsperregion.Eacharchivecancontainupto40TBofdata.

DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonGlacierviatheSSLencryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.

DataRetrievalRetrievingarchivesfromAmazonGlacierrequirestheinitiationofaretrievaljob,whichisgenerallycompletedinthreetofivehours.YoucanthenaccessthedataviaHTTPGETrequests.Thedatawillremainavailabletoyoufor24hours.Youcanretrieveanentirearchiveorseveralfilesfromanarchive.Ifyouwanttoretrieveonlyasubsetofanarchive,youcanuseoneretrievalrequesttospecifytherangeofthearchivethatcontainsthefilesinwhichyouareinterestedoryoucaninitiatemultipleretrievalrequests,eachwitharangeforoneormorefiles.

Youcanalsolimitthenumberofvaultinventoryitemsretrievedbyfilteringonanarchivecreationdaterangeorbysettingamaximumitemslimit.Whichevermethodyouchoose,whenyouretrieveportionsofyourarchive,youcanusethesuppliedchecksumtohelpensuretheintegrityofthefilesprovidedthattherangethatisretrievedisalignedwiththetreehashoftheoverallarchive.

DataStorageAmazonGlacierautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.AmazonGlacierisdesignedtoprovideaverageannualdurabilityof99.999999999percentforanarchive.Itstoreseacharchiveinmultiplefacilitiesandmultipledevices.Unliketraditionalsystems,whichcanrequirelaboriousdataverificationandmanualrepair,AmazonGlacierperformsregular,systematicdataintegritychecksandisbuilttobeself-healing.

DataAccessOnlyyouraccountcanaccessyourdatainAmazonGlacier.TocontrolaccesstoyourdatainAmazonGlacier,youcanuseAWSIAMtospecifywhichuserswithinyouraccounthaverightstooperationsonagivenvault.

AWSStorageGatewaySecurityTheAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutouploaddatasecurelytoAWSscalable,reliable,andsecureAmazonS3storageserviceforcost-effectivebackupandrapiddisasterrecovery.

DataTransferDataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSL.

DataStorageThedataisstoredencryptedinAmazonS3usingAES256,asymmetrickeyencryptionstandardusing256-bitencryptionkeys.TheAWSStorageGatewayonlyuploadsdatathathaschanged,minimizingtheamountofdatasentovertheInternet.

DatabaseAWSprovidesanumberofdatabasesolutionsfordevelopersandbusinessesfrommanagedrelationalandNoSQLdatabaseservices,toin-memorycachingasaserviceandpetabyte-scaledatawarehouseservice.

AmazonDynamoDBSecurityAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.AmazonDynamoDBenablesyoutooffloadtheadministrativeburdensofoperatingandscalingdistributeddatabasestoAWS,soyoudon’thavetoworryabouthardwareprovisioning,setupandconfiguration,replication,softwarepatching,orclusterscaling.

Youcancreateadatabasetablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofserverstohandletherequestcapacityyouspecifiedandtheamountofdatastored,whilemaintainingconsistent,fastperformance.AlldataitemsarestoredonSolidStateDrives(SSDs)andareautomaticallyreplicatedacrossmultipleAvailabilityZonesinaregiontoprovidebuilt-inhighavailabilityanddatadurability.

YoucansetupautomaticbackupsusingaspecialtemplateinAWSDataPipelinethatwascreatedjustforcopyingAmazonDynamoDBtables.Youcanchoosefullorincrementalbackupstoatableinthesameregionoradifferentregion.YoucanusethecopyfordisasterrecoveryintheeventthatanerrorinyourcodedamagestheoriginaltableortofederateAmazonDynamoDBdataacrossregionstosupportamulti-regionapplication.

TocontrolwhocanusetheAmazonDynamoDBresourcesandAPI,yousetuppermissionsinAWSIAM.Inadditiontocontrollingaccessattheresource-levelwithIAM,youcanalsocontrolaccessatthedatabaselevel—youcancreatedatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.Thesedatabase-levelpermissionsarecalledfine-grainedaccesscontrols,andyoucreatethemusinganIAMpolicythatspecifiesunderwhatcircumstancesauserorapplicationcanaccessanAmazonDynamoDBtable.TheIAMpolicycanrestrictaccesstoindividualitemsinatable,accesstotheattributesinthoseitems,orbothatthesametime.

Inadditiontorequiringdatabaseanduserpermissions,eachrequesttotheAmazonDynamoDBservicemustcontainavalidHMAC-SHA-256signatureortherequestisrejected.TheAWSSDKsautomaticallysignyourrequests;however,ifyouwanttowriteyourownHTTPPOSTrequests,youmustprovidethesignatureintheheaderofyourrequesttoAmazonDynamoDB.Tocalculatethesignature,youmustrequesttemporarysecuritycredentialsfrom

theAWSSecurityTokenService.UsethetemporarysecuritycredentialstosignyourrequeststoAmazonDynamoDB.AmazonDynamoDBisaccessibleviaSSL-encryptedendpoints,andtheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.

AmazonRelationalDatabaseService(AmazonRDS)SecurityAmazonRelationalDatabaseService(AmazonRDS)allowsyoutoquicklycreatearelationalDatabaseInstance(DBInstance)andflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSmanagesthedatabaseinstanceonyourbehalfbyperformingbackups,handlingfailover,andmaintainingthedatabasesoftware.Asofthetimeofthiswriting,AmazonRDSisavailableforMySQL,Oracle,MicrosoftSQLServer,MariaDB,AmazonAurora,andPostgreSQLdatabaseengines.

AmazonRDShasmultiplefeaturesthatenhancereliabilityforcriticalproductiondatabases,includingDBsecuritygroups,permissions,SSLconnections,automatedbackups,DBsnapshots,andmultipleAvailabilityZone(Multi-AZ)deployments.DBInstancescanalsobedeployedinanAmazonVPCforadditionalnetworkisolation.

AccessControlWhenyoufirstcreateaDBInstancewithinAmazonRDS,youwillcreateamasteruseraccount,whichisusedonlywithinthecontextofAmazonRDStocontrolaccesstoyourDBInstance(s).ThemasteruseraccountisanativedatabaseuseraccountthatallowsyoutologontoyourDBInstancewithalldatabaseprivileges.YoucanspecifythemasterusernameandpasswordyouwantassociatedwitheachDBInstancewhenyoucreatetheDBInstance.AfteryouhavecreatedyourDBInstance,youcanconnecttothedatabaseusingthemasterusercredentials.Subsequently,youcancreateadditionaluseraccountssothatyoucanrestrictwhocanaccessyourDBInstance.

YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whicharesimilartoAmazonEC2securitygroupsbutnotinterchangeable.DBsecuritygroupsactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.DBsecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.Therearetwowaysofdoingthis:

AuthorizinganetworkIPrange

AuthorizinganexistingAmazonEC2securitygroup

DBsecuritygroupsonlyallowaccesstothedatabaseserverport(allothersareblocked)andcanbeupdatedwithoutrestartingtheAmazonRDSDBInstance,whichgivesyouseamlesscontroloftheirdatabaseaccess.

UsingAWSIAM,youcanfurthercontrolaccesstoyourAmazonRDSDBinstances.AWSIAMenablesyoutocontrolwhatAmazonRDSoperationseachindividualAWSIAMuserhaspermissiontocall.

NetworkIsolationForadditionalnetworkaccesscontrol,youcanrunyourDBInstancesinanAmazonVPC.AmazonVPCenablesyoutoisolateyourDBInstancesbyspecifyingtheIPrangeyouwanttouseandconnecttoyourexistingITinfrastructurethroughindustry-standardencryptedIPsecVPN.RunningAmazonRDSinaVPCenablesyoutohaveaDBinstancewithinaprivatesubnet.YoucanalsosetupavirtualprivategatewaythatextendsyourcorporatenetworkintoyourVPC,andallowsaccesstotheRDSDBinstanceinthatVPC.

ForMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregion,willallow

AmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucancreateDBsubnetgroups,whicharecollectionsofsubnetsthatyoumaywanttodesignateforyourAmazonRDSDBInstancesinanAmazonVPC.EachDBsubnetgroupshouldhaveatleastonesubnetforeveryAvailabilityZoneinagivenregion.Inthiscase,whenyoucreateaDBInstanceinanAmazonVPC,youselectaDBsubnetgroup;AmazonRDSthenusesthatDBsubnetgroupandyourpreferredAvailabilityZonetoselectasubnetandanIPaddresswithinthatsubnet.AmazonRDScreatesandassociatesanElasticNetworkInterfacetoyourDBInstancewiththatIPaddress.

DBInstancesdeployedwithinanAmazonVPCcanbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheAmazonVPCviaVPNorbastionhoststhatyoucanlaunchinyourpublicsubnet.Touseabastionhost,youwillneedtosetupapublicsubnetwithanAmazonEC2instancethatactsasaSSHBastion.ThispublicsubnetmusthaveanInternetgatewayandroutingrulesthatallowtraffictobedirectedviatheSSHhost,whichmustthenforwardrequeststotheprivateIPaddressofyourAmazonRDSDBInstance.

DBsecuritygroupscanbeusedtohelpsecureDBInstanceswithinanAmazonVPC.Inaddition,networktrafficenteringandexitingeachsubnetcanbeallowedordeniedvianetworkACLs.AllnetworktrafficenteringorexitingyourAmazonVPCviayourIPsecVPNconnectioncanbeinspectedbyyouron-premisessecurityinfrastructure,includingnetworkfirewallsandintrusiondetectionsystems.

EncryptionYoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL.ForMySQLandSQLServer,AmazonRDScreatesanSSLcertificateandinstallsthecertificateontheDBInstancewhentheinstanceisprovisioned.ForMySQL,youlaunchtheMySQLclientusingthe--ssl_caparametertoreferencethepublickeyinordertoencryptconnections.ForSQLServer,downloadthepublickeyandimportthecertificateintoyourWindowsoperatingsystem.OracleRDSusesOraclenativenetworkencryptionwithaDBInstance.YousimplyaddthenativenetworkencryptionoptiontoanoptiongroupandassociatethatoptiongroupwiththeDBInstance.Afteranencryptedconnectionisestablished,datatransferredbetweentheDBInstanceandyourapplicationwillbeencryptedduringtransfer.YoucanalsorequireyourDBInstancetoacceptonlyencryptedconnections.

AmazonRDSsupportsTransparentDataEncryption(TDE)forSQLServer(SQLServerEnterpriseEdition)andOracle(partoftheOracleAdvancedSecurityoptionavailableinOracleEnterpriseEdition).TheTDEfeatureautomaticallyencryptsdatabeforeitiswrittentostorageandautomaticallydecryptsdatawhenitisreadfromstorage.IfyourequireyourMySQLdatatobeencryptedwhileatrestinthedatabase,yourapplicationmustmanagetheencryptionanddecryptionofdata.

NotethatSSLsupportwithinAmazonRDSisforencryptingtheconnectionbetweenyourapplicationandyourDBInstance;itshouldnotbereliedonforauthenticatingtheDBInstanceitself.WhileSSLofferssecuritybenefits,beawarethatSSLencryptionisacomputeintensiveoperationandwillincreasethelatencyofyourdatabaseconnection.

AutomatedBackupsandDBSnapshotsAmazonRDSprovidestwodifferentmethodsforbackingupandrestoringyourDBInstance(s):automatedbackupsandDatabaseSnapshots(DBSnapshots).Turnedonbydefault,theautomatedbackupfeatureofAmazonRDSenablespoint-in-timerecoveryforyourDBInstance.AmazonRDSwillbackupyourdatabaseandtransactionlogsandstorebothforauser-specifiedretentionperiod.Thisallows

youtorestoreyourDBInstancetoanysecondduringyourretentionperiod,uptothelastfiveminutes.Yourautomaticbackupretentionperiodcanbeconfiguredtoupto35days.

DBSnapshotsareuser-initiatedbackupsofyourDBInstance.ThesefulldatabasebackupsarestoredbyAmazonRDSuntilyouexplicitlydeletethem.YoucancopyDBsnapshotsofanysizeandmovethembetweenanyofAWSpublicregions,orcopythesamesnapshottomultipleregionssimultaneously.YoucanthencreateanewDBInstancefromaDBSnapshotwheneveryoudesire.

Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup.ThisI/Osuspensiontypicallylastsafewminutes.ThisI/OsuspensionisavoidedwithMulti-AZDBdeployments,becausethebackupistakenfromthestandby.

DBInstanceReplicationAWSCloudcomputingresourcesarehousedinhighlyavailabledatacenterfacilitiesindifferentregionsoftheworld,andeachregioncontainsmultipledistinctlocationscalledAvailabilityZones.EachAvailabilityZoneisengineeredtobeisolatedfromfailuresinotherAvailabilityZonesandprovideinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.

ToarchitectforhighavailabilityofyourOracle,PostgreSQL,orMySQLdatabases,youcanrunyourAmazonRDSDBInstanceinseveralAvailabilityZones,anoptioncalledaMulti-AZdeployment.Whenyouselectthisoption,AWSautomaticallyprovisionsandmaintainsasynchronousstandbyreplicaofyourDBInstanceinadifferentAvailabilityZone.TheprimaryDBInstanceissynchronouslyreplicatedacrossAvailabilityZonestothestandbyreplica.IntheeventofDBInstanceorAvailabilityZonefailure,AmazonRDSwillautomaticallyfailovertothestandbysothatdatabaseoperationscanresumequicklywithoutadministrativeintervention.

ForcustomerswhouseMySQLandneedtoscalebeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads,AmazonRDSprovidesareadreplicaoption.Afteryoucreateareadreplica,databaseupdatesonthesourceDBInstancearereplicatedtothereadreplicausingMySQL’snative,asynchronousreplication.YoucancreatemultiplereadreplicasforagivensourceDBinstanceanddistributeyourapplication’sreadtrafficamongthem.ReadreplicascanbecreatedwithMulti-AZdeploymentstogainreadscalingbenefitsinadditiontotheenhanceddatabasewriteavailabilityanddatadurabilityprovidedbyMulti-AZdeployments.

AutomaticSoftwarePatchingAmazonRDSwillmakesurethattherelationaldatabasesoftwarepoweringyourdeploymentstaysup-to-datewiththelatestpatches.Whennecessary,patchesareappliedduringamaintenancewindowthatyoucancontrol.YoucanthinkoftheAmazonRDSmaintenancewindowasanopportunitytocontrolwhenDBInstancemodifications(suchasscalingDBInstanceclass)andsoftwarepatchingoccur,intheeventeitherarerequestedorrequired.Ifamaintenanceeventisscheduledforagivenweek,itwillbeinitiatedandcompletedatsomepointduringthe30-minutemaintenancewindowyouidentify.

TheonlymaintenanceeventsthatrequireAmazonRDStotakeyourDBInstanceofflinearescalecomputeoperations(whichgenerallytakeonlyafewminutesfromstarttofinish)orrequiredsoftwarepatching.Requiredpatchingisautomaticallyscheduledonlyforpatchesthatarerelatedtosecurityanddurability.Suchpatchingoccursinfrequently(typicallyonceeveryfewmonths)andshouldseldomrequiremorethanafractionofyourmaintenance

window.IfyoudonotspecifyapreferredweeklymaintenancewindowwhencreatingyourDBInstance,a30-minutedefaultvalueisassigned.Ifyouwanttomodifywhenmaintenanceisperformedonyourbehalf,youcandosobymodifyingyourDBInstanceintheAWSManagementConsoleorbyusingtheModifyDBInstanceAPI.EachofyourDBInstancescanhavedifferentpreferredmaintenancewindows,ifyousochoose.

RunningyourDBInstanceinaMulti-AZdeploymentcanfurtherreducetheimpactofamaintenanceevent,asAmazonRDSwillconductmaintenanceviathefollowingsteps:

1. Performmaintenanceonstandby.

2. Promotestandbytoprimary.

3. Performmaintenanceonoldprimary,whichbecomesthenewstandby.

WhenanAmazonRDSDBInstancedeletionAPI(DeleteDBInstance)isrun,theDBInstanceismarkedfordeletion.Aftertheinstancenolongerindicatesdeletingstatus,ithasbeenremoved.Atthispoint,theinstanceisnolongeraccessible,andunlessafinalsnapshotcopywasaskedfor,itcannotberestoredandwillnotbelistedbyanyofthetoolsorAPIs.

AmazonRedshiftSecurityAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theservicehasbeenarchitectednotonlytoscaleupordownrapidly,butalsotoimprovequeryspeedssignificantlyevenonextremelylargedatasets.Toincreaseperformance,AmazonRedshiftusestechniquessuchascolumnarstorage,datacompression,andzonemapstoreducetheamountofI/Oneededtoperformqueries.ItalsohasaMassivelyParallelProcessing(MPP)architecture,parallelizinganddistributingSQLoperationstotakeadvantageofallavailableresources.

ClusterAccessBydefault,clustersthatyoucreateareclosedtoeveryone.AmazonRedshiftenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.YoucanalsorunAmazonRedshiftinsideanAmazonVPCtoisolateyourdatawarehouseclusterinyourownvirtualnetworkandconnectittoyourexistingITinfrastructureusingindustry-standardencryptedIPsecVPN.

TheAWSaccountthatcreatestheclusterhasfullaccesstothecluster.WithinyourAWSaccount,youcanuseAWSIAMtocreateuseraccountsandmanagepermissionsforthoseaccounts.ByusingIAM,youcangrantdifferentuserspermissiontoperformonlytheclusteroperationsthatarenecessaryfortheirwork.Likealldatabases,youmustgrantpermissioninAmazonRedshiftatthedatabaselevelinadditiontograntingaccessattheresourcelevel.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.However,userscanseedataonlyinthetablerowsthatweregeneratedbytheirownactivities;rowsgeneratedbyotherusersarenotvisibletothem.

Theuserwhocreatesadatabaseobjectisitsowner.Bydefault,onlyasuperuserortheownerofanobjectcanquery,modify,orgrantpermissionsontheobject.Foruserstouseanobject,youmustgrantthenecessarypermissionstotheuserorthegroupthatcontainstheuser.Inaddition,onlytheownerofanobjectcanmodifyordeleteit.

DataBackupsAmazonRedshiftdistributesyourdataacrossallcomputenodesinacluster.Whenyourunaclusterwithatleasttwocomputenodes,dataoneachnodewillalwaysbemirroredondisksonanothernode,reducingtheriskofdataloss.Inaddition,alldatawrittentoanodeinyourclusteriscontinuouslybackeduptoAmazonS3usingsnapshots.AmazonRedshiftstoresyoursnapshotsforauser-definedperiod,whichcanbefrom1to35days.Youcanalsotakeyourownsnapshotsatanytime;thesesnapshotsleverageallexistingsystemsnapshotsandareretaineduntilyouexplicitlydeletethem.

AmazonRedshiftcontinuouslymonitorsthehealthoftheclusterandautomaticallyre-replicatesdatafromfaileddrivesandreplacesnodesasnecessary.Allofthishappenswithoutanyeffortonyourpart,althoughyoumayseeaslightperformancedegradationduringthere-replicationprocess.

YoucanuseanysystemorusersnapshottorestoreyourclusterusingtheAWSManagementConsoleortheAmazonRedshiftAPIs.Yourclusterisavailableassoonasthesystemmetadatahasbeenrestored,andyoucanstartrunningquerieswhileuserdataisspooleddowninthebackground.

DataEncryptionWhencreatingacluster,youcanchoosetoencryptitinordertoprovideadditionalprotectionforyourdataatrest.Whenyouenableencryptioninyourcluster,AmazonRedshiftstoresalldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandanybackups.

AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.

Dataencryptionkeysencryptdatablocksinthecluster.Eachdatablockisassignedarandomly-generatedAES256key.Thesekeysareencryptedbyusingthedatabasekeyforthecluster.

Thedatabasekeyencryptsdataencryptionkeysinthecluster.Thedatabasekeyisarandomly-generatedAES-256key.ItisstoredondiskinaseparatenetworkfromtheAmazonRedshiftclusterandencryptedbyamasterkey.AmazonRedshiftpassesthedatabasekeyacrossasecurechannelandkeepsitinmemoryinthecluster.

TheclusterkeyencryptsthedatabasekeyfortheAmazonRedshiftcluster.YoucanuseeitherAWSoraHardwareSecurityModule(HSM)tostoretheclusterkey.HSMsprovidedirectcontrolofkeygenerationandmanagementandmakekeymanagementseparateanddistinctfromtheapplicationandthedatabase.

ThemasterkeyencryptstheclusterkeyifitisstoredinAWS.Themasterkeyencryptsthecluster-key-encrypteddatabasekeyiftheclusterkeyisstoredinanHSM.

YoucanhaveAmazonRedshiftrotatetheencryptionkeysforyourencryptedclustersatanytime.Aspartoftherotationprocess,keysarealsoupdatedforallofthecluster’sautomaticandmanualsnapshots.Notethatenablingencryptioninyourclusterwillimpactperformance,eventhoughitishardwareaccelerated.

Encryptionalsoappliestobackups.Whenyou’rerestoringfromanencryptedsnapshot,thenewclusterwillbeencryptedaswell.

ToencryptyourtableloaddatafileswhenyouuploadthemtoAmazonS3,youcanuse

AmazonS3server-sideencryption.WhenyouloadthedatafromAmazonS3,theCOPYcommandwilldecryptthedataasitloadsthetable.

DatabaseAuditLoggingAmazonRedshiftlogsallSQLoperations,includingconnectionattempts,queries,andchangestoyourdatabase.YoucanaccesstheselogsusingSQLqueriesagainstsystemtablesorchoosetohavethemdownloadedtoasecureAmazonS3bucket.Youcanthenusetheseauditlogstomonitoryourclusterforsecurityandtroubleshootingpurposes.

AutomaticSoftwarePatchingAmazonRedshiftmanagesalltheworkofsettingup,operating,andscalingyourdatawarehouse,includingprovisioningcapacity,monitoringthecluster,andapplyingpatchesandupgradestotheAmazonRedshiftengine.Patchesareappliedonlyduringspecifiedmaintenancewindows.

SSLConnectionsToprotectyourdataintransitwithintheAWSCloud,AmazonRedshiftuseshardware-acceleratedSSLtocommunicatewithAmazonS3orAmazonDynamoDBforCOPY,UNLOAD,backup,andrestoreoperations.YoucanencrypttheconnectionbetweenyourclientandtheclusterbyspecifyingSSLintheparametergroupassociatedwiththecluster.TohaveyourclientsalsoauthenticatetheAmazonRedshiftserver,youcaninstallthepublickey(.pemfile)fortheSSLcertificateonyourclientandusethekeytoconnecttoyourclusters.

AmazonRedshiftoffersthenewer,strongerciphersuitesthatusetheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocol.ECDHEallowsSSLclientstoprovidePerfectForwardSecrecybetweentheclientandtheAmazonRedshiftcluster.PerfectForwardSecrecyusessessionkeysthatareephemeralandnotstoredanywhere,whichpreventsthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.YoudonotneedtoconfigureanythinginAmazonRedshifttoenableECDHE;ifyouconnectfromanSQLclienttoolthatusesECDHEtoencryptcommunicationbetweentheclientandserver,AmazonRedshiftwillusetheprovidedcipherlisttomaketheappropriateconnection.

AmazonElastiCacheSecurityAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieveinformationfromafast,managed,in-memorycachingsystem,insteadofrelyingentirelyonslowerdisk-baseddatabases.Itcanbeusedtoimprovelatencyandthroughputsignificantlyformanyread-heavyapplicationworkloads(suchassocialnetworking,gaming,mediasharing,andQandAportals)orcompute-intensiveworkloads(suchasarecommendationengine).Cachingimprovesapplicationperformancebystoringcriticalpiecesofdatainmemoryforlow-latencyaccess.CachedinformationmayincludetheresultsofI/O-intensivedatabasequeriesortheresultsofcomputationally-intensivecalculations.

TheAmazonElastiCacheserviceautomatestime-consumingmanagementtasksforin-memorycacheenvironments,suchaspatchmanagement,failuredetection,andrecovery.ItworksinconjunctionwithotherAWSCloudservices(suchasAmazonEC2,AmazonCloudWatch,andAmazonSNS)toprovideasecure,high-performance,andmanagedin-memorycache.Forexample,anapplicationrunninginAmazonEC2cansecurelyaccessanAmazonElastiCacheclusterinthesameregionwithverylowlatency.

UsingtheAmazonElastiCacheservice,youcreateaCacheCluster,whichisacollectionofoneormoreCacheNodes,eachrunninganinstanceoftheMemcachedservice.ACacheNodeisafixed-sizechunkofsecure,network-attachedRAM.EachCacheNoderunsaninstanceoftheMemcachedserviceandhasitsownDNSnameandport.MultipletypesofCacheNodesaresupported,eachwithvaryingamountsofassociatedmemory.ACacheClustercanbesetupwithaspecificnumberofCacheNodesandaCacheParameterGroupthatcontrolsthepropertiesforeachCacheNode.AllCacheNodeswithinaCacheClusteraredesignedtobeofthesameNodeTypeandhavethesameparameterandsecuritygroupsettings.

DataAccessAmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.Bydefault,networkaccessisturnedofftoyourCacheClusters.IfyouwantyourapplicationstoaccessyourCacheCluster,youmustexplicitlyenableaccessfromhostsinspecificAmazonEC2securitygroups.Afteringressrulesareconfigured,thesamerulesapplytoallCacheClustersassociatedwiththatCacheSecurityGroup.

ToallownetworkaccesstoyourCacheCluster,createaCacheSecurityGroupandusetheAuthorizeCacheSecurityGroupIngressAPIorCLIcommandtoauthorizethedesiredAmazonEC2securitygroup(whichinturnspecifiestheAmazonEC2instancesallowed).IP-rangebasedaccesscontroliscurrentlynotenabledforCacheClusters.AllclientstoaCacheClustermustbewithintheAmazonEC2network,andauthorizedviaCacheSecurityGroups.

AmazonElastiCacheforRedisprovidesbackupandrestorefunctionality,whereyoucancreateasnapshotofyourentireRedisclusterasitexistsataspecificpointintime.Youcanscheduleautomatic,recurringdailysnapshots,oryoucancreateamanualsnapshotatanytime.Forautomaticsnapshots,youspecifyaretentionperiod;manualsnapshotsareretaineduntilyoudeletethem.ThesnapshotsarestoredinAmazonS3withhighdurability,andcanbeusedforwarmstarts,backups,andarchiving.

ApplicationServicesAWSoffersavarietyofmanagedservicestousewithyourapplications,includingservicesthatprovideapplicationstreaming,queueing,pushnotification,emaildelivery,search,andtranscoding.

AmazonSimpleQueueService(AmazonSQS)SecurityAmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2instancesoracombinationofboth.WithAmazonSQS,youcansendanynumberofmessagestoanAmazonSQSqueueatanytimefromanycomponent.Themessagescanberetrievedfromthesamecomponentoradifferentone,rightawayoratalatertime(within14days).Messagesarehighlydurable;eachmessageispersistentlystoredinhighlyavailable,highlyreliablequeues.Multipleprocessescanread/writefrom/toanAmazonSQSqueueatthesametimewithoutinterferingwitheachother.

DataAccessAmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandqueuesforwhichtheyhavebeen

grantedaccessviapolicy.Bydefault,accesstoeachindividualqueueisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoaqueue,usingeitheranAmazonSQS-generatedpolicyorapolicyyouwrite.

EncryptionAmazonSQSisaccessibleviaSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.EncryptingmessagesbeforesendingthemtoAmazonSQShelpsprotectagainstaccesstosensitivecustomerdatabyunauthorizedpersons,includingAWS.

AmazonSimpleNotificationService(AmazonSNS)SecurityAmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSprovidesasimplewebservicesinterfacethatcanbeusedtocreatetopicsthatcustomerswanttonotifyapplications(orpeople)about,subscribeclientstothesetopics,publishmessages,andhavethesemessagesdeliveredoverclients’protocolofchoice(forexample,HTTP/HTTPS,email).

AmazonSNSdeliversnotificationstoclientsusingapushmechanismthateliminatestheneedtocheckorpollfornewinformationandupdatesperiodically.AmazonSNScanbeleveragedtobuildhighlyreliable,event-drivenworkflowsandmessagingapplicationswithouttheneedforcomplexmiddlewareandapplicationmanagement.ThepotentialusesforAmazonSNSincludemonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andmanyothers.

DataAccessAmazonSNSprovidesaccesscontrolmechanismssothattopicsandmessagesaresecuredagainstunauthorizedaccess.Topicownerscansetpoliciesforatopicthatrestrictswhocanpublishorsubscribetoatopic.Additionally,topicownerscanencrypttransmissionbyspecifyingthatthedeliverymechanismmustbeHTTPS.AmazonSNSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandtopicsforwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualtopicisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoAmazonSNS,usingeitheranAmazonSNS-generatedpolicyorapolicyyouwrite.

AnalyticsServicesAWSprovidescloud-basedanalyticsservicestohelpyouprocessandanalyzeanyvolumeofdata,whetheryourneedisformanagedHadoopclusters,real-timestreamingdata,petabytescaledatawarehousing,ororchestration.

AmazonElasticMapReduce(AmazonEMR)SecurityAmazonElasticMapReduce(AmazonEMR)isamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamong

severalservers.ItusesanenhancedversionoftheApacheHadoopframeworkrunningontheweb-scaleinfrastructureofAmazonEC2andAmazonS3.YousimplyuploadyourinputdataandadataprocessingapplicationintoAmazonS3.AmazonEMRthenlaunchesthenumberofAmazonEC2instancesyouspecify.TheservicebeginsthejobflowexecutionwhilepullingtheinputdatafromAmazonS3intothelaunchedAmazonEC2instances.Afterthejobflowisfinished,AmazonEMRtransferstheoutputdatatoAmazonS3,whereyoucanthenretrieveitoruseitasinputinanotherjobflow.

Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutoSSHintotheinstancesusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptonotallowaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupswithinyouraccount,youcanreconfigurethemusingthestandardEC2toolsordashboard.Toprotectcustomerinputandoutputdatasets,AmazonEMRtransfersdatatoandfromAmazonS3usingSSL.

AmazonEMRprovidesseveralwaystocontrolaccesstotheresourcesofyourcluster.YoucanuseAWSIAMtocreateuseraccountsandrolesandconfigurepermissionsthatcontrolwhichAWSfeaturesthoseusersandrolescanaccess.Whenyoulaunchacluster,youcanassociateanAmazonEC2keypairwiththecluster,whichyoucanthenusewhenyouconnecttotheclusterusingSSH.YoucanalsosetpermissionsthatallowusersotherthanthedefaultHadoopusertosubmitjobstoyourcluster.

Bydefault,ifanIAMuserlaunchesacluster,thatclusterishiddenfromotherIAMusersontheAWSaccount.ThisfilteringoccursonallAmazonEMRinterfaces(theAWSManagementConsole,CLI,API,andSDKs)andhelpspreventIAMusersfromaccessingandinadvertentlychangingclusterscreatedbyotherIAMusers.

Foranadditionallayerofprotection,youcanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.Thisallowsyoutocontrolaccesstotheentiresubnet.YoucanalsolaunchtheclusterintoanAmazonVPCandenabletheclustertoaccessresourcesonyourinternalnetworkusingaVPNconnection.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.

AmazonKinesisSecurityAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.Itcanacceptanyamountofdata,fromanynumberofsources,scalingupanddownasneeded.YoucanuseAmazonKinesisinsituationsthatcallforlarge-scale,real-timedataingestionandprocessing,suchasserverlogs,socialmedia,ormarketdatafeeds,andwebclickstreamdata.ApplicationsreadandwritedatarecordstoAmazonKinesisinstreams.YoucancreateanynumberofAmazonKinesisstreamstocapture,store,andtransportdata.

YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsby

creatingusersunderyourAWSaccountusingAWSIAM,andcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TofacilitaterunningyourproducerorconsumerapplicationsonanAmazonEC2instance,youcanconfigurethatinstancewithanIAMrole.Thatway,AWScredentialsthatreflectthepermissionsassociatedwiththeIAMrolearemadeavailabletoapplicationsontheinstance,whichmeansyoudon’thavetouseyourlong-termAWSsecuritycredentials.Roleshavetheaddedbenefitofprovidingtemporarycredentialsthatexpirewithinashorttimeframe,whichaddsanadditionalmeasureofprotection.

TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpoint(kinesis.us-east-1.amazonaws.com)tohelpensuresecuretransmissionofyourdatatoAWS.YoumustconnecttothatendpointtoaccessAmazonKinesis,butyoucanthenusetheAPItodirectAmazonKinesistocreateastreaminanyAWSregion.

DeploymentandManagementServicesAWSprovidesavarietyoftoolstohelpwiththedeploymentandmanagementofyourapplications.ThisincludesservicesthatallowyoutocreateindividualuseraccountswithcredentialsforaccesstoAWSservices.ItalsoincludesservicesforcreatingandupdatingstacksofAWSresources,deployingapplicationsonthoseresources,andmonitoringthehealthofthoseAWSresources.OthertoolshelpyoumanagecryptographickeysusingHSMsandlogAWSAPIactivityforsecurityandcompliancepurposes.

AWSIdentityandAccessManagement(IAM)SecurityAWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMeliminatestheneedtosharepasswordsorkeysandmakesiteasytoenableordisableauser’saccessasappropriate.

AWSIAMenablesyoutoimplementsecuritybestpractices,suchasleastprivilege,bygrantinguniquecredentialstoeveryuserwithinyourAWSaccountandonlygrantingpermissiontoaccesstheAWSCloudservicesandresourcesrequiredfortheuserstoperformtheirjobs.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.

AWSIAMisalsointegratedwithAWSMarketplacesothatyoucancontrolwhoinyourorganizationcansubscribetothesoftwareandservicesofferedinAWSMarketplace.BecausesubscribingtocertainsoftwareinAWSMarketplacelaunchesanAmazonEC2instancetorunthesoftware,thisisanimportantaccesscontrolfeature.UsingIAMtocontrolaccesstoAWSMarketplacealsoenablesAWSaccountownerstohavefine-grainedcontroloverusageandsoftwarecosts.

AWSIAMenablesyoutominimizetheuseofyourAWSaccountcredentials.AfteryoucreateIAMuseraccounts,allinteractionswithAWSCloudservicesandresourcesshouldoccurwithIAMusersecuritycredentials.

RolesAnIAMroleusestemporarysecuritycredentialstoallowyoutodelegateaccesstousersorservicesthatnormallydon’thaveaccesstoyourAWSresources.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecific

IAMuserorgroup.Anauthorizedentity(forexample,mobileuserorAmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.Thiscanbeparticularlyusefulinprovidinglimited,controlledaccessincertainsituations:

Federated(Non-AWS)UserAccessFederatedusersareusers(orapplications)whodonothaveAWSaccounts.Withroles,youcangivethemaccesstoyourAWSresourcesforalimitedamountoftime.Thisisusefulifyouhavenon-AWSusersthatyoucanauthenticatewithanexternalservice,suchasMicrosoftActiveDirectory,LightweightDirectoryAccessProtocol(LDAP),orKerberos.ThetemporaryAWScredentialsusedwiththerolesprovideidentityfederationbetweenAWSandyournon-AWSusersinyourcorporateidentityandauthorizationsystem.

SecurityAssertionMarkupLanguage(SAML)2.0IfyourorganizationsupportsSAML2.0,youcancreatetrustbetweenyourorganizationasanIdentityProvider(IdP)andotherorganizationsasserviceproviders.InAWS,youcanconfigureAWSastheserviceprovideranduseSAMLtoprovideyouruserswithfederatedSingle-SignOn(SSO)totheAWSManagementConsoleortogetfederatedaccesstocallAWSAPIs.

Rolesarealsousefulifyoucreateamobileorweb-basedapplicationthataccessesAWSresources.AWSresourcesrequiresecuritycredentialsforprogrammaticrequests;however,youshouldn’tembedlong-termsecuritycredentialsinyourapplicationbecausetheyareaccessibletotheapplication’susersandcanbedifficulttorotate.Instead,youcanletuserssignintoyourapplicationusingLoginwithAmazon,Facebook,orGoogleandthenusetheirauthenticationinformationtoassumearoleandgettemporarysecuritycredentials.

Cross-AccountAccessFororganizationsthatusemultipleAWSaccountstomanagetheirresources,youcansetuprolestoprovideuserswhohavepermissionsinoneaccounttoaccessresourcesunderanotheraccount.Fororganizationsthathavepersonnelwhoonlyrarelyneedaccesstoresourcesunderanotheraccount,usingroleshelpstoensurethatcredentialsareprovidedtemporarilyandonlyasneeded.

ApplicationsRunningonEC2InstancesThatNeedtoAccessAWSResourcesIfanapplicationrunsonanAmazonEC2instanceandneedstomakerequestsforAWSresources,suchasAmazonS3bucketsoraDynamoDBtable,itmusthavesecuritycredentials.UsingrolesinsteadofcreatingindividualIAMaccountsforeachapplicationoneachinstancecansavesignificanttimeforcustomerswhomanagealargenumberofinstancesoranelasticallyscalingfleetusingAWSAutoScaling.

Thetemporarycredentialsincludeasecuritytoken,anAccessKeyID,andaSecretAccessKey.Togiveauseraccesstocertainresources,youdistributethetemporarysecuritycredentialstotheusertowhomyouaregrantingtemporaryaccess.Whentheusermakescallstoyourresources,theuserpassesinthetokenandAccessKeyIDandsignstherequestwiththeSecretAccessKey.Thetokenwillnotworkwithdifferentaccesskeys.

Theuseoftemporarycredentialsprovidesadditionalprotectionforyoubecauseyoudon’thavetomanageordistributelong-termcredentialstotemporaryusers.Inaddition,thetemporarycredentialsgetautomaticallyloadedtothetargetinstancesoyoudon’thavetoembedthemsomewhereunsafelikeyourcode.Temporarycredentialsareautomaticallyrotatedorchangedmultipletimesadaywithoutanyactiononyourpartandarestoredsecurelybydefault.

MobileServices

AWSmobileservicesmakeiteasierforyoutobuild,ship,run,monitor,optimize,andscalecloud-poweredapplicationsformobiledevices.Theseservicesalsohelpyouauthenticateuserstoyourmobileapplication,synchronizedata,andcollectandanalyzeapplicationusage.

AmazonCognitoSecurityAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Itsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.Itprovidestemporary,limited-privilegecredentialsforbothauthenticatedandunauthenticateduserswithouthavingtomanageanyback-endinfrastructure.

AmazonCognitoworkswithwell-knownidentityproviderslikeGoogle,Facebook,andAmazontoauthenticateendusersofyourmobileandwebapplications.Youcantakeadvantageoftheidentificationandauthorizationfeaturesprovidedbytheseservicesinsteadofhavingtobuildandmaintainyourown.Yourapplicationauthenticateswithoneoftheseidentityprovidersusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfromtheproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.

TobeginusingAmazonCognito,youcreateanidentitypoolthroughtheAmazonCognitoconsole.TheidentitypoolisastoreofuseridentityinformationthatisspecifictoyourAWSaccount.Duringthecreationoftheidentitypool,youwillbeaskedtocreateanewIAMroleorpickanexistingoneforyourendusers.AnIAMroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity(forexample,mobileuser,AmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.

TheroleyouselecthasanimpactonwhichAWSCloudservicesyourenduserswillbeabletoaccesswiththetemporarycredentials.Bydefault,AmazonCognitocreatesanewrolewithlimitedpermissions;endusersonlyhaveaccesstotheAmazonCognitoSyncserviceandAmazonMobileAnalytics.IfyourapplicationneedsaccesstootherAWSresources,suchasAmazonS3orAmazonDynamoDB,youcanmodifyyourrolesdirectlyfromtheIAMconsole.

WithAmazonCognito,thereisnoneedtocreateindividualAWSaccountsorevenIAMaccountsforeveryoneofyourweb/mobileapplicationenduserswhowillneedtoaccessyourAWSresources.InconjunctionwithIAMroles,mobileuserscansecurelyaccessAWSresourcesandapplicationfeaturesandevensavedatatotheAWSCloudwithouthavingtocreateanaccountorlogin.Iftheychoosetocreateanaccountorloginlater,AmazonCognitowillmergedataandidentificationinformation.

BecauseAmazonCognitostoresdatalocallyandalsointheservice,yourenduserscancontinuetointeractwiththeirdataevenwhentheyareoffline.Theirofflinedatamaybestale,buttheycanimmediatelyretrieveanythingtheyputintothedatasetwhetherornottheyareonline.TheclientSDKmanagesalocalSQLitestoresothattheapplicationcanworkevenwhenitisnotconnected.TheSQLitestorefunctionsasacacheandisthetargetofallreadandwriteoperations.AmazonCognito’ssyncfacilitycomparesthelocalversionofthe

datatothecloudversionandpushesuporpullsdowndeltasasneeded.Notethatinordertosyncdataacrossdevices,youridentitypoolmustsupportauthenticatedidentities.Unauthenticatedidentitiesaretiedtothedevice,sounlessanenduserauthenticates,nodatacanbesyncedacrossmultipledevices.

WithAmazonCognito,yourapplicationcommunicatesdirectlywithasupportedpublicidentityprovider(Amazon,Facebook,orGoogle)toauthenticateusers.AmazonCognitodoesnotreceiveorstoreusercredentials,onlytheOAuthorOpenIDConnecttokenreceivedfromtheidentityprovider.AfterAmazonCognitoreceivesthetoken,itreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.EachAmazonCognitoidentityhasaccessonlytoitsowndatainthesyncstore,andthisdataisencryptedwhenstored.Inaddition,allidentitydataistransmittedoverHTTPS.TheuniqueAmazonCognitoidentifieronthedeviceisstoredintheappropriatesecurelocation.ForexampleoniOS,theAmazonCognitoidentifierisstoredintheiOSkeychain.UserdataiscachedinalocalSQLitedatabasewithintheapplication’ssandbox;ifyourequireadditionalsecurity,youcanencryptthisidentitydatainthelocalcachebyimplementingencryptioninyourapplication.

ApplicationsAWSapplicationsaremanagedservicesthatenableyoutoprovideyouruserswithsecure,centralizedstorageandworkareasinthecloud.

AmazonWorkSpacesSecurityAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.SimplychooseaWindows7bundlethatbestmeetstheneedsofyourusersandthenumberofWorkSpacesthatyouwanttolaunch.AftertheWorkSpacesareready,usersreceiveanemailinformingthemwheretheycandownloadtherelevantclientandlogintotheirWorkSpace.Theycanthenaccesstheircloud-baseddesktopsfromavarietyofendpointdevices,includingPCs,laptops,andmobiledevices.However,yourorganization’sdataisneversenttoorstoredontheend-userdevicebecauseAmazonWorkSpacesusesPC-over-IP(PCoIP),whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheusers’desktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.

InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.WhenyouintegrateAmazonWorkSpaceswithyourcorporateActiveDirectory,eachWorkSpacejoinsyourActiveDirectorydomainandcanbemanagedjustlikeanyotherdesktopinyourorganization.ThismeansthatyoucanuseActiveDirectoryGroupPoliciestomanageyourusersWorkSpacestospecifyconfigurationoptionsthatcontrolthedesktop.IfyouchoosenottouseActiveDirectoryorothertypeofon-premisesdirectorytomanageyouruserWorkSpaces,youcancreateaprivateclouddirectorywithinAmazonWorkSpacesthatyoucanuseforadministration.

Toprovideanadditionallayerofsecurity,youcanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRemoteAuthenticationDialInUserService(RADIUS)serveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-

CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.

EachWorkSpaceresidesonitsownAmazonEC2instancewithinanAmazonVPC.YoucancreateWorkSpacesinanAmazonVPCyoualreadyownorhavetheAmazonWorkSpacesservicecreateoneforyouautomaticallyusingtheAmazonWorkSpacesQuickStartoption.WhenyouusetheQuickStartoption,AmazonWorkSpacesnotonlycreatestheAmazonVPC,butitalsoperformsseveralotherprovisioningandconfigurationtasksforyou,suchascreatinganInternetGatewayfortheAmazonVPC,settingupadirectorywithintheAmazonVPCthatisusedtostoreuserandWorkSpaceinformation,creatingadirectoryadministratoraccount,creatingthespecifieduseraccountsandaddingthemtothedirectory,andcreatingtheAmazonWorkSpacesinstances.OrtheAmazonVPCcanbeconnectedtoanon-premisesnetworkusingasecureVPNconnectiontoallowaccesstoanexistingon-premisesActiveDirectoryandotherintranetresources.YoucanaddasecuritygroupthatyoucreateinyourAmazonVPCtoalloftheWorkSpacesthatbelongtoyourActiveDirectory.ThisallowsyoutocontrolnetworkaccessfromAmazonWorkSpacesinyourAmazonVPCtootherresourcesinyourAmazonVPCandon-premisesnetwork.

PersistentstorageforAmazonWorkSpacesisprovidedbyAmazonEBSandisautomaticallybackeduptwiceadaytoAmazonS3.IfAmazonWorkSpacesSyncisenabledonaWorkSpace,thefolderauserchoosestosyncwillbecontinuouslybackedupandstoredinAmazonS3.YoucanalsouseAmazonWorkSpacesSynconaMacorPCtosyncdocumentstoorfromyourWorkSpacesothatyoucanalwayshaveaccesstoyourdataregardlessofthedesktopcomputeryouareusing.

Becauseitisamanagedservice,AWStakescareofseveralsecurityandmaintenancetaskslikedailybackupsandpatching.UpdatesaredeliveredautomaticallytoyourWorkSpacesduringaweeklymaintenancewindow.Youcancontrolhowpatchingisconfiguredforauser’sWorkSpace.Bydefault,WindowsUpdateisturnedon,butyouhavetheabilitytocustomizethesesettingsoruseanalternativepatchmanagementapproachifyoudesire.FortheunderlyingOS,WindowsUpdateisenabledbydefaultonAmazonWorkSpacesandconfiguredtoinstallupdatesonaweeklybasis.YoucanuseanalternativepatchingapproachorconfigureWindowsUpdatetoperformupdatesatatimeofyourchoosing.YoucanuseIAMtocontrolwhoonyourteamcanperformadministrativefunctionslikecreatingordeletingWorkSpacesorsettingupuserdirectories.YoucanalsosetupaWorkSpacefordirectoryadministration,installyourfavoriteActiveDirectoryadministrationtools,andcreateorganizationalunitsandGroupPoliciesinordertoapplyActiveDirectorychangesmoreeasilyforallofyourAmazonWorkSpacesusers.

SummaryInthischapter,youlearnedthatthefirstpriorityatAWSisCloudsecurity.SecuritywithinAWSisbasedona“defenseindepth”modelwherenoone,singleelementisusedtosecuresystemsonAWS.Rather,AWSusesamultitudeofelements—eachactingatdifferentlayersofasystem—intotaltosecurethesystem.AWSisresponsibleforsomelayersofthismodel,andcustomersareresponsibleforothers.AWSalsoofferssecuritytoolsandfeaturesofservicesforcustomerstouseattheirdiscretion.Severaloftheseconcepts,tools,andfeatureswerediscussedinthischapter.

SecurityModelThesharedresponsibilitymodelisthesecuritymodelwhereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andthecustomerisresponsibleforsecuringworkloadsdeployedinAWS.CustomersbenefitfromadatacenterandnetworkarchitecturebuilttosatisfytherequirementsofAWSmostsecurity-sensitivecustomers.Thismeansthatcustomersgetaresilientinfrastructure,designedforhighsecurity,withoutthecapitaloutlayandoperationaloverheadofatraditionaldatacenter.

AccountLevelSecurityAWScredentialshelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources.AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMFAtologintoyourAWSaccountorIAMuseraccounts.

PasswordsarerequiredtoaccessyourAWSaccount,individualIAMuseraccounts,AWSDiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.

AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.Thisismulti-factorbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).AnMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.

AccessKeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHMAC-SHA-256protocol.

AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.

Service-SpecificSecurityInadditiontotheSharedResponsibilityModelandAccountLevelsecurity,AWSofferssecurityfeaturesforeachoftheservicesitprovides.Thesesecurityfeaturesareoutlinedbelowbytechnologydomain.

ComputeAmazonElasticComputeCloud(AmazonEC2)AmazonEC2supportsRSA2048SSH-2KeypairsforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.

AmazonElasticBlockStore(AmazonEBS)DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationswithinthesameAvailabilityZoneaspartofnormaloperationofthatserviceandatnoadditionalcharge.AWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.

NetworkingElasticLoadBalancingElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.

AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice.SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.

AmazonCloudFrontAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.

Storage

AmazonSimpleStorageService(AmazonS3)AmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.YoucansecurelyuploadanddownloaddatatoAmazonS3viatheSSL-encryptedendpoints.AmazonS3supportsseveralmethodstoencryptdataatrest.

AmazonGlacierAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.YoucansecurelyuploadanddownloaddatatoAmazonGlacierviatheSSL-encryptedendpoints,andtheserviceautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.

AWSStorageGatewayAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.Dataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSLandstoredencryptedinAmazonS3usingAES-256.

DatabaseAmazonDynamoDBAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.Youcancontrolaccessatthedatabaselevelbycreatingdatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.

AmazonRelationalDatabaseService(RDS)AmazonRDSallowsyoutoquicklycreatearelationalDBInstanceandflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whichactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.Databasesecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.AmazonRDSissupportedwithinanAmazonVPC,andforMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregionwillallowAmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL,andyoucanencryptdataatrestwithinAmazonRDSinstancesforalldatabaseengines.

AmazonRedshiftAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theserviceenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.YoumaychooseforAmazonRedshifttostorealldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandalsoanybackups.AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.

AmazonElastiCacheAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.AmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.

ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.

ApplicationServicesAmazonSimpleQueueService(SQS)AmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.AmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.

AmazonSimpleNotificationService(SNS)AmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSallowstopicownerstosetpoliciesforatopicthatrestrictwhocanpublishorsubscribetoatopic.

AnalyticsAmazonElasticMapReduce(AmazonEMR)AmazonEMRisamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamongseveralservers.Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.YoucanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.

AmazonKinesisAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsbycreatingusersunderyourAWSaccountusingAWSIAMandcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpointtohelpensuresecuretransmissionofyourdatatoAWS.

DeploymentandManagementAWSIdentityandAccessManagement(IAM)AWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.

MobileServicesAmazonCognitoAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Yourapplicationauthenticateswithoneofthewell-knownidentityproviderssuchasGoogle,Facebook,andAmazonusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfrom

theproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.

ApplicationsAmazonWorkspacesAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheuser’sdesktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.YoucanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRADIUSserveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.

ExamEssentialsUnderstandthesharedresponsibilitymodel.AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.

UnderstandregionsandAvailabilityZones.Eachregioniscompletelyindependent.Eachregionisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.RegionsareacollectionofAvailabilityZones.EachAvailabilityZoneisisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.

UnderstandHigh-AvailabilitySystemDesignwithinAWS.YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.

UnderstandthenetworksecurityofAWS.Networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,ACLs,andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.

AWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowHTTPSaccess,whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.

AmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.

UnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.

ItisnotpossibleforanAmazonEC2instancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.

UnderstandtheuseofcredentialsonAWS.AWSemploysseveralcredentialsinordertopositivelyidentifyapersonorauthorizeanAPIcalltotheplatform.Credentialsinclude:

Passwords


Multi-FactorAuthentication(MFA)


AccessKeys

DigitallysignedrequeststoAWSAPIs(usingtheAWSSDK,CLI,orREST/QueryAPIs)

Understandtheproperuseofaccesskeys.Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandnottoembedtheminyourcode.Forcustomerswithlargefleetsofelastically-scalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.

UnderstandthevalueofAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.

UnderstandthesecurityfeaturesofAmazonEC2.AmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdata,suchasapassword,andthentherecipientusestheprivatekeytodecryptthedata.Thepublicandprivatekeysareknownasakeypair.

Tologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.

Asecuritygroupactsasavirtualfirewallthatcontrolsthetrafficforoneormoreinstances.Whenyoulaunchaninstance,youassociateoneormoresecuritygroupswiththeinstance.Youaddrulestoeachsecuritygroupthatallowtraffictoorfromitsassociatedinstances.Youcanmodifytherulesforasecuritygroupatanytime;thenewrulesareautomaticallyappliedtoallinstancesthatareassociatedwiththesecuritygroup.

UnderstandAWSuseofencryptionofdataintransit.AllserviceendpointssupportencryptionofdataintransitviaHTTPS.

Knowwhichservicesofferencryptionofdataatrestasafeature.Thefollowingservicesofferafeaturetoencryptdataatrest:

AmazonS3

AmazonEBS

AmazonGlacier

AWSStorageGateway

AmazonRDS

AmazonRedshift

AmazonWorkSpaces

ExercisesThebestwaytobecomefamiliarwiththesecurityfeaturesofAWSistodotheexercisesforeachchapterandinspectthesecurityfeaturesofferedbytheservice.TakealookatthislistofAWSCloudservicescoveredindifferentchaptersandtheirsecurityfeatures:

Chapter6,AWSIAM

Exercise6.1:CreateanIAMGroup

Exercise6.2:CreateaCustomizedSign-InLinkandPasswordPolicy

Exercise6.3:CreateanIAMUser

Exercise6.4:CreateandUseanIAMRole

Exercise6.5:RotateKeys

Exercise6.6:SetUpMFA

Exercise6.7:ResolveConflictingPermissions

Chapter3,AmazonEC2

Exercise3.1:LaunchandConnecttoaLinuxInstance

Exercise3.2:LaunchaWindowsInstancewithBootstrapping

Chapter3,AmazonEBS

Exercise3.8:LaunchanEncryptedVolume

Chapter2,AmazonS3

Exercise2.1:CreateanAmazonSimpleStorageService(AmazonS3)Bucket

Exercise2.2:Upload,MakePublic,Rename,andDeleteObjectsinYourBucket

Chapter4,AmazonVPC

Exercise4.1:CreateaCustomAmazonVPC

Exercise4.2:CreateTwoSubnetsforYourCustomAmazonVPC

Exercise4.3:ConnectYourAmazonVPCtotheInternetandEstablishRouting

Exercise4.4:LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet.

Chapter7,AmazonRDS

Exercise7.1:CreateaMySQLAmazonRDSInstance

Exercise7.2:SimulateaFailoverfromOneAZtoAnother

ReviewQuestions1. WhichisanoperationalprocessperformedbyAWSfordatasecurity?

A. AdvancedEncryptionStandard(AES)-256encryptionofdatastoredonanysharedstoragedevice

B. Decommissioningofstoragedevicesusingindustry-standardpractices

C. BackgroundvirusscansofAmazonElasticBlockStore(AmazonEBS)volumesandAmazonEBSsnapshots

D. ReplicationofdataacrossmultipleAWSregions

E. SecurewipingofAmazonEBSdatawhenanAmazonEBSvolumeisunmounted

2. YouhavelaunchedaWindowsAmazonElasticComputeCloud(AmazonEC2)instanceandspecifiedanAmazonEC2keypairfortheinstanceatlaunch.Whichofthefollowingaccuratelydescribeshowtologintotheinstance?

A. UsetheAmazonEC2keypairtosecurelyconnecttotheinstanceviaSecureShell(SSH).

B. UseyourAWSIdentityandAccessManagement(IAM)userX.509certificatetologintotheinstance.

C. UsetheAmazonEC2keypairtodecrypttheadministratorpasswordandthensecurelyconnecttotheinstanceviaRemoteDesktopProtocol(RDP)astheadministrator.

D. Akeypairisnotneeded.SecurelyconnecttotheinstanceviaRDP.

3. ADatabasesecuritygroupcontrolsnetworkaccesstoadatabaseinstancethatisinsideaVirtualPrivateCloud(VPC)andbydefaultallowsaccessfrom?

A. AccessfromanyIPaddressforthestandardportsthatthedatabaseusesisprovidedbydefault.

B. AccessfromanyIPaddressforanyportisprovidedbydefaultintheDBsecuritygroup.

C. Noaccessisprovidedbydefault,andanyaccessmustbeexplicitlyaddedwitharuletotheDBsecuritygroup.

D. AccessforthedatabaseconnectionstringisprovidedbydefaultintheDBsecuritygroup.

4. WhichencryptionalgorithmisusedbyAmazonSimpleStorageService(AmazonS3)toencryptdataatrestwithService-SideEncryption(SSE)?

A. AdvancedEncryptionStandard(AES)-256

B. RSA1024

C. RSA2048

D. AES-128

5. HowmanyaccesskeysmayanAWSIdentityandAccessManagement(IAM)userhaveactiveatonetime?

A. 0

B. 1

C. 2

D. 3

6. WhichofthefollowingisthenameofthesecuritymodelemployedbyAWSwithitscustomers?

A. Thesharedsecretmodel

B. Thesharedresponsibilitymodel

C. Thesharedsecretkeymodel

D. Thesecretkeyresponsibilitymodel

7. WhichofthefollowingdescribestheschemeusedbyanAmazonRedshiftclusterleveragingAWSKeyManagementService(AWSKMS)toencryptdata-at-rest?

A. AmazonRedshiftusesaone-tier,key-basedarchitectureforencryption.

B. AmazonRedshiftusesatwo-tier,key-basedarchitectureforencryption.

C. AmazonRedshiftusesathree-tier,key-basedarchitectureforencryption.

D. AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.

8. WhichofthefollowingElasticLoadBalancingoptionsensurethattheloadbalancerdetermineswhichcipherisusedforaSecureSocketsLayer(SSL)connection?

A. ClientServerCipherSuite

B. ServerCipherOnly

C. FirstServerCipher

D. ServerOrderPreference

9. WhichtechnologydoesAmazonWorkSpacesusetoprovidedatasecurity?

A. SecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)

B. AdvancedEncryptionStandard(AES)-256

C. PC-over-IP(PCoIP)

D. AES-128

10. AsaSolutionsArchitect,howshouldyouarchitectsystemsonAWS?

A. Youshouldarchitectforleastcost.

B. YoushouldarchitectyourAWSusagetotakeadvantageofAmazonSimpleStorageService’s(AmazonS3)durability.

C. YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.

D. YoushouldarchitectwithAmazonElasticComputeCloud(AmazonEC2)AutoScalingtoensurecapacityisavailablewhenneeded.

11. WhichsecurityschemeisusedbytheAWSMulti-FactorAuthentication(AWSMFA)token?

A. Time-BasedOne-TimePassword(TOTP)

B. PerfectForwardSecrecy(PFC)

C. EphemeralDiffieHellman(EDH)

D. Split-KeyEncryption(SKE)

12. DynamoDBtablesmaycontainsensitivedatathatneedstobeprotected.WhichofthefollowingisawayforyoutoprotectDynamoDBtablecontent?(Choose2answers)

A. DynamoDBencryptsalldataserver-sidebydefaultsonothingisrequired.

B. DynamoDBcanstoredataencryptedwithaclient-sideencryptionlibrarysolutionbeforestoringthedatainDynamoDB.

C. DynamoDBobfuscatesalldatastoredsoencryptionisnotrequired.

D. DynamoDBcanbeusedwiththeAWSKeyManagementServicetoencryptthedatabeforestoringthedatainDynamoDB.

E. DynamoDBshouldnotbeusedtostoresensitiveinformationrequiringprotection.

13. YouhavelaunchedanAmazonLinuxElasticComputeCloud(AmazonEC2)instanceintoEC2-Classic,andtheinstancehassuccessfullypassedtheSystemStatusCheckandInstanceStatusCheck.YouattempttosecurelyconnecttotheinstanceviaSecureShell(SSH)andreceivetheresponse,“WARNING:UNPROTECTEDPRIVATEKEYFILE,”afterwhichtheloginfails.Whichofthefollowingisthecauseofthefailedlogin?

A. Youareusingthewrongprivatekey.

B. Thepermissionsfortheprivatekeyaretooinsecureforthekeytobetrusted.

C. Asecuritygroupruleisblockingtheconnection.

D. Asecuritygrouprulehasnotbeenassociatedwiththeprivatekey.

14. WhichofthefollowingpublicidentityprovidersaresupportedbyAmazonCognitoIdentity?

A. Amazon

B. Google

C. Facebook

D. Alloftheabove

15. WhichfeatureofAWSisdesignedtopermitcallstotheplatformfromanAmazonElasticComputeCloud(AmazonEC2)instancewithoutneedingaccesskeysplacedontheinstance?

A. AWSIdentityandAccessManagement(IAM)instanceprofile

B. IAMgroups

C. IAMroles

D. AmazonEC2keypairs

16. WhichofthefollowingAmazonVirtualPrivateCloud(AmazonVPC)elementsactsasastatelessfirewall?

A. Securitygroup

B. NetworkAccessControlList(ACL)

C. NetworkAddressTranslation(NAT)instance

D. AnAmazonVPCendpoint

17. WhichofthefollowingisthemostrecentversionoftheAWSdigitalsignaturecalculationprocess?

A. SignatureVersion1

B. SignatureVersion2

C. SignatureVersion3

D. SignatureVersion4

18. WhichofthefollowingisthenameofthefeaturewithinAmazonVirtualPrivateCloud(AmazonVPC)thatallowsyoutolaunchAmazonElasticComputeCloud(AmazonEC2)instancesonhardwarededicatedtoasinglecustomer?

A. AmazonVPC-basedtenancy

B. Dedicatedtenancy

C. Defaulttenancy

D. Host-basedtenancy

19. WhichofthefollowingdescribeshowAmazonElasticMapReduce(AmazonEMR)protectsaccesstothecluster?

A. ThemasternodeandtheslavenodesarelaunchedintoanAmazonVirtualPrivateCloud(AmazonVPC).

B. ThemasternodesupportsaVirtualPrivateNetwork(VPN)connectionfromthekeyspecifiedatclusterlaunch.

C. ThemasternodeislaunchedintoasecuritygroupthatallowsSecureShell(SSH)andserviceaccess,whiletheslavenodesarelaunchedintoaseparatesecuritygroupthatonlypermitscommunicationwiththemasternode.

D. ThemasternodeandslavenodesarelaunchedintoasecuritygroupthatallowsSSHandserviceaccess.

20. Tohelppreventdatalossduetothefailureofanysinglehardwarecomponent,AmazonElasticBlockStorage(AmazonEBS)automaticallyreplicatesEBSvolumedatatowhichofthefollowing?

A. AmazonEBSreplicatesEBSvolumedatawithinthesameAvailabilityZoneinaregion.

B. AmazonEBSreplicatesEBSvolumedataacrossotherAvailabilityZoneswithinthesameregion.

C. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesinoneotherregion.

D. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesineveryotherregion.

Chapter13AWSRiskandComplianceTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.






Sharedsecurityresponsibilitymodel

SecurityArchitecturewithAWS


AWSsecurityattributes

Designpatterns

IntroductionAWSanditscustomerssharecontrolovertheITenvironment,sobothpartieshaveresponsibilityformanagingthatenvironment.AWSpartinthissharedresponsibilityincludesprovidingitsservicesonahighlysecureandcontrolledplatformandprovidingawidearrayofsecurityfeaturescustomerscanuse.

ThecustomerisresponsibleforconfiguringtheirITenvironmentinasecureandcontrolledmannerfortheirpurposes.Whilecustomersdon’tcommunicatetheiruseandconfigurationstoAWS,AWSdoescommunicatewithcustomersregardingitssecurityandcontrolenvironment,asrelevant.AWSdisseminatesthisinformationusingthreeprimarymechanisms.First,AWSworksdiligentlytoobtainindustrycertificationsandindependentthird-partyattestations.Second,AWSopenlypublishesinformationaboutitssecurityandcontrolpracticesinwhitepapersandwebsitecontent.Finally,AWSprovidescertificates,reports,andotherdocumentationdirectlytoitscustomersunderNon-DisclosureAgreements(NDAs)asrequired.

OverviewofComplianceinAWSWhencustomersmovetheirproductionworkloadstotheAWScloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Thecustomersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.ThecustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.ThissectiondescribestheAWSsharedresponsibilitymodelandgivesadviceforhowtoestablishstrongcompliance.

SharedResponsibilityModelAsmentionedinChapter12,“SecurityonAWS,”ascustomersmigratetheirITenvironmentstoAWS,theycreateamodelofsharedresponsibilitybetweenthemselvesandAWS.Thissharedresponsibilitymodelcanhelplessenacustomer’sIToperationalburden,asitisAWSresponsibilitytomanagethecomponentsfromthehostoperatingsystemandvirtualizationlayerdowntothephysicalsecurityofthedatacentersinwhichtheseservicesoperate.Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).Thecustomerisalsoresponsibleforanyotherapplicationsoftware,aswellastheconfigurationofsecuritygroups,VirtualPrivateClouds(VPCs),andsoon.

WhileAWSmanagesthesecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.Customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.Figure13.1illustratesthedemarcationbetweencustomerandAWSresponsibilities.

FIGURE13.1Sharedresponsibilitymodel

Customersneedtobeawareofanyapplicablelawsandregulationswithwhichtheyhavetocomply,andthentheymustconsiderwhethertheservicesthattheyconsumeonAWSarecompliantwiththeselaws.Insomecases,itmaybenecessarytoenhanceanexistingplatformonAWSwithadditionalsecuritymeasures(suchasdeployingawebapplicationfirewall,IntrusionDetectionSystem[IDS],orIntrusionPreventionSystem[IPS],orusingsomeformofencryptionfordataatrest).

Thiscustomer/AWSsharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations,butitalsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.BeforemovingtotheAWSCloud,customerswereresponsibleformanagingalloftheITcontrolsintheirenvironments.AWSmanagesthecontrolsforthephysicalinfrastructure,therebytakingtheundifferentiatedheavyliftingfromcustomers,allowingthemtofocusonmanagingtherelevantITcontrols.BecauseeverycustomerisdeployeddifferentlyinAWS,customerscanshiftmanagementofcertainITcontrolstoAWS.ThischangeinmanagementofITcontrolsresultsinanew,distributedcontrolenvironment.CustomerscanthenusetheAWScontrolandcompliancedocumentationavailabletothemtoperformtheircontrolevaluationandverificationproceduresasrequired.

StrongComplianceGovernanceItisstillthecustomers’responsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(whetheritison-premises,onthecloud,orpartofahybridenvironment).BydeployingtotheAWSCloud,customershave

optionstoapplydifferenttypesofcontrolsandvariousverificationmethods.

Toachievestrongcomplianceandgovernance,customersmaywanttofollowthisbasicmethodology:

1. Takeaholisticapproach.ReviewtheinformationavailablefromAWStogetherwithallotherinformationtounderstandasmuchoftheITenvironmentastheycan.Afterthisiscomplete,documentallcompliancerequirements.

2. Designandimplementcontrolobjectivestomeettheorganization’scompliancerequirements.

3. Identifyanddocumentcontrolsownedbyallthirdparties.

4. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.

Byusingthisbasicmethodology,customerscangainabetterunderstandingoftheircontrolenvironment.Ultimately,thiswillstreamlinetheprocessandhelpseparateanyverificationactivitiesthatneedtobeperformed.

EvaluatingandIntegratingAWSControlsAWSprovidescustomerswithawiderangeofinformationregardingitsITcontrolenvironmentthroughwhitepapers,reports,certifications,andotherthird-partyattestations.ThisdocumentationassistscustomersinunderstandingthecontrolsinplacerelevanttotheAWSCloudservicestheyuseandhowthosecontrolshavebeenvalidated.ThisinformationalsoassistscustomersintheireffortstoaccountforandvalidatethatcontrolsintheirextendedITenvironmentareoperatingeffectively.

Traditionally,thedesignandoperatingeffectivenessofcontrolsandcontrolobjectivesarevalidatedbyinternaland/orexternalauditorsviaprocesswalkthroughsandevidenceevaluation.Directobservationandverification,bythecustomerorcustomer’sexternalauditor,isgenerallyperformedtovalidatecontrols.InthecasewhereserviceproviderssuchasAWSareused,companiesrequestandevaluatethird-partyattestationsandcertificationsinordertogainreasonableassuranceofthedesignandoperatingeffectivenessofcontrolsandcontrolobjectives.Asaresult,althoughacustomer’skeycontrolsmaybemanagedbyAWS,thecontrolenvironmentcanstillbeaunifiedframeworkinwhichallcontrolsareaccountedforandareverifiedasoperatingeffectively.AWSthird-partyattestationsandcertificationsnotonlyprovideahigherlevelofvalidationofthecontrolenvironment,butmayalsorelievecustomersoftherequirementtoperformcertainvalidationworkthemselves.

AWSITControlInformationAWSprovidesITcontrolinformationtocustomersinthefollowingtwoways.

SpecificControlDefinitionAWScustomerscanidentifykeycontrolsmanagedbyAWS.Keycontrolsarecriticaltothecustomer’scontrolenvironmentandrequireanexternalattestationoftheoperatingeffectivenessofthesekeycontrolsinordertomeetcompliancerequirements(forexample,anannualfinancialaudit).Forthispurpose,AWSpublishesawiderangeofspecificITcontrolsinitsServiceOrganizationControls1(SOC1)TypeIIreport.TheSOC1TypeIIreport,formerlytheStatementonAuditingStandards(SAS)No.70,isawidelyrecognizedauditingstandarddevelopedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA).TheSOC1auditisanin-depthauditofboththedesignandoperatingeffectivenessofAWSdefinedcontrolobjectivesandcontrolactivities(whichincludecontrolobjectivesandcontrolactivitiesoverthepartoftheinfrastructurethatAWSmanages).“TypeII”referstothefactthateachofthecontrolsdescribedinthereportarenotonlyevaluatedforadequacyofdesign,butarealsotestedforoperatingeffectivenessbytheexternalauditor.BecauseoftheindependenceandcompetenceofAWSexternalauditor,controlsidentifiedinthereportshouldprovidecustomerswithahighlevelofconfidenceinAWScontrolenvironment.

AWScontrolscanbeconsideredeffectivelydesignedandoperatingformanycompliancepurposes,includingSarbanes-Oxley(SOX)Section404financialstatementaudits.LeveragingSOC1TypeIIreportsisalsogenerallypermittedbyotherexternalcertifyingbodies.Forexample,InternationalOrganizationforStandardization(ISO)27001auditorsmayrequestaSOC1TypeIIreportinordertocompletetheirevaluationsforcustomers.

GeneralControlStandardComplianceIfanAWScustomerrequiresabroadsetofcontrolobjectivestobemet,evaluationofAWSindustrycertificationsmaybeperformed.WiththeISO27001certification,AWScomplieswithabroad,comprehensivesecuritystandardandfollowsbestpracticesinmaintainingasecureenvironment.WiththePaymentCardIndustry(PCI)DataSecurityStandard(DSS)certification,AWScomplieswithasetofcontrolsimportanttocompaniesthathandlecreditcardinformation.AWScompliancewithFederalInformationSecurityManagementAct(FISMA)standardsmeansthatAWScomplieswithawiderangeofspecificcontrolsrequiredbyU.S.governmentagencies.AWScompliancewiththesegeneralstandardsprovidescustomerswithin-depthinformationonthecomprehensivenatureofthecontrolsandsecurityprocessesinplaceintheAWSCloud.

AWSGlobalRegionsTheAWSCloudinfrastructureisbuiltaroundregionsandavailabilityzones.AregionisaphysicallocationintheworldwherewehavemultipleAvailabilityZones.AvailabilityZonesconsistofoneormorediscretedatacenters,eachwithredundantpower,networking,andconnectivity,housedinseparatefacilities.TheseAvailabilityZonesoffercustomerstheabilitytooperateproductionapplicationsanddatabasesthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.

Asofthiswriting,theAWSCloudoperates33AvailabilityZoneswithin12geographicregionsaroundtheworld.The12regionsareUSEast(NorthernVirginia),USWest(Oregon),USWest(NorthernCalifornia),AWSGovCloud(US)(Oregon),EU(Frankfurt),EU(Ireland),AsiaPacific(Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney),AsiaPacific(Seoul),China(Beijing),andSouthAmerica(SaoPaulo).

AWSRiskandComplianceProgramAWSRiskandComplianceisdesignedtobuildontraditionalprogramsandhelpcustomersestablishandoperateinanAWSsecuritycontrolenvironment.AWSprovidesdetailedinformationaboutitsriskandcomplianceprogramtoenablecustomerstoincorporateAWScontrolsintotheirgovernanceframeworks.ThisinformationcanassistcustomersindocumentingcompletecontrolandgovernanceframeworksinwhichAWSisincludedasanimportantpart.

Thethreecoreareasoftheriskandcomplianceprogram—riskmanagement,controlenvironment,andinformationsecurity—aredescribednext.

RiskManagementAWShasdevelopedastrategicbusinessplanthatincludesriskidentificationandtheimplementationofcontrolstomitigateormanagerisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.

TheAWScontrolenvironmentissubjecttoadditionalinternalandexternalriskassessments.TheAWScomplianceandsecurityteamshaveestablishedaninformationsecurityframeworkandpoliciesbasedontheControlObjectivesforInformationandRelatedTechnology(COBIT)framework,andtheyhaveeffectivelyintegratedtheISO27001certifiableframeworkbasedonISO27002controls,AICPATrustServicesPrinciples,PCIDSSv3.1,andtheNationalInstituteofStandardsandTechnology(NIST)Publication800–53,Revision3,RecommendedSecurityControlsforFederalInformationSystems.AWSmaintainsthesecuritypolicyandprovidessecuritytrainingtoitsemployees.Additionally,AWSperformsregularapplicationsecurityreviewstoassesstheconfidentiality,integrity,andavailabilityofdata,andconformancetotheinformationsecuritypolicy.

TheAWSsecurityteamregularlyscansanypublic-facingendpointIPaddressesforvulnerabilities.Itisimportanttounderstandthatthesescansdonotincludecustomerinstances.AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.Inaddition,independentsecurityfirmsregularlyperformexternalvulnerabilitythreatassessments.FindingsandrecommendationsresultingfromtheseassessmentsarecategorizedanddeliveredtoAWSleadership.ThesescansaredoneinamannerforthehealthandviabilityoftheunderlyingAWSinfrastructureandarenotmeanttoreplacethecustomer’sownvulnerabilityscansthatarerequiredtomeettheirspecificcompliancerequirements.

AsmentionedinChapter12,customerscanrequestpermissiontoconducttheirownvulnerabilityscansontheirownenvironments.ThesevulnerabilityscansmustnotviolatetheAWSacceptableusepolicy,andtheymustberequestedinadvanceofthescan.

ControlEnvironmentAWSmanagesacomprehensivecontrolenvironmentthatconsistsofpolicies,processes,andcontrolactivities.ThiscontrolenvironmentisinplaceforthesecuredeliveryofAWSservice

offerings.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.AWShasintegratedapplicable,cloud-specificcontrolsidentifiedbyleadingcloudcomputingindustrybodiesintotheAWScontrolframework.AWScontinuestomonitortheseindustrygroupsforideasonwhichleadingpracticescanbeimplementedtobetterassistcustomerswithmanagingtheircontrolenvironments.

ThecontrolenvironmentatAWSbeginsatthehighestlevelofthecompany.Executiveandseniorleadershipplayimportantrolesinestablishingthecompany’stoneandcorevalues.Everyemployeeisprovidedwiththecompany’scodeofbusinessconductandethicsandcompletesperiodictraining.Complianceauditsareperformedsothatemployeesunderstandandfollowtheestablishedpolicies.

TheAWSorganizationalstructureprovidesaframeworkforplanning,executing,andcontrollingbusinessoperations.Theorganizationalstructureassignsrolesandresponsibilitiestoprovideforadequatestaffing,efficiencyofoperations,andthesegregationofduties.Managementhasalsoestablishedauthorityandappropriatelinesofreportingforkeypersonnel.Includedaspartofthecompany’shiringverificationprocessesareeducation,previousemployment,and,insomecases,backgroundchecksaspermittedbylawforemployeescommensuratewiththeemployee’spositionandlevelofaccesstoAWSfacilities.ThecompanyfollowsastructuredonboardingprocesstofamiliarizenewemployeeswithAmazontools,processes,systems,policies,andprocedures.

InformationSecurityAWSusesaformalinformationsecurityprogramthatisdesignedtoprotecttheconfidentiality,integrity,andavailabilityofcustomers’systemsanddata.AWSpublishesseveralsecuritywhitepapersthatareavailableonthemainAWSwebsite.ThesewhitepapersarerecommendedreadingpriortotakingtheAWSSolutionsArchitectAssociateexam.

AWSReports,Certifications,andThird-PartyAttestationsAWSengageswithexternalcertifyingbodiesandindependentauditorstoprovidecustomerswithconsiderableinformationregardingthepolicies,processes,andcontrolsestablishedandoperatedbyAWS.Ahigh-leveldescriptionofthevariousAWSreports,certifications,andattestationsisprovidedhere.

CriminalJusticeInformationServices(CJIS)—AWScomplieswiththeFederalBureauofInvestigation’s(FBI)CJISstandard.AWSsignsCJISsecurityagreementswithAWScustomers,whichincludeallowingorperforminganyrequiredemployeebackgroundchecksaccordingtotheCJISsecuritypolicy.

CloudSecurityAlliance(CSA)—In2011,theCSAlaunchedtheSecurity,Trust,&AssuranceRegistry(STAR),aninitiativetoencouragetransparencyofsecuritypracticeswithincloudproviders.CSASTARisafree,publiclyaccessibleregistrythatdocumentsthesecuritycontrolsprovidedbyvariouscloudcomputingofferings,therebyhelpingusersassessthesecurityofcloudproviderstheycurrentlyuseorwithwhomtheyareconsideringcontracting.AWSisaCSASTARregistrantandhascompletedtheCSAConsensusAssessmentsInitiativeQuestionnaire(CAIQ).

CyberEssentialsPlus—CyberEssentialsPlusisaUKgovernment-backed,industry-supportedcertificationschemaintroducedintheUKtohelporganizationsdemonstrateoperationalsecurityagainstcommoncyber-attacks.ItdemonstratesthebaselinecontrolsthatAWSimplementstomitigatetheriskfromcommonInternet-basedthreatswithinthecontextoftheUKgovernment’s“10StepstoCyberSecurity.”Itisbackedbyindustry,includingtheFederationofSmallBusinesses,theConfederationofBritishIndustry,andanumberofinsuranceorganizationsthatofferincentivesforbusinessesholdingthiscertification.

DepartmentofDefense(DoD)CloudSecurityModel(SRG)—TheDoDSRGprovidesaformalizedassessmentandauthorizationprocessforCloudServiceProviders(CSPs)togainaDoDprovisionalauthorization,whichcansubsequentlybeleveragedbyDoDcustomers.AprovisionalauthorizationundertheSRGprovidesareusablecertificationthatatteststoAWScompliancewithDoDstandards,reducingthetimenecessaryforaDoDmissionownertoassessandauthorizeoneoftheirsystemsforoperationonAWS.Asofthiswriting,AWSholdsprovisionalauthorizationsatLevels2(allAWSUS-basedregions)and4(AWSGovCloud[US])oftheSRG.

FederalRiskandAuthorizationManagementProgram(FedRAMP)—AWSisaFedRAMP-compliantCSP.AWShascompletedthetestingperformedbyaFedRAMP-accreditedthird-partyassessmentorganization(3PAO)andhasbeengrantedtwoAgencyAuthoritytoOperate(ATOs)bytheU.S.DepartmentofHealthandHumanServices(HHS)afterdemonstratingcompliancewithFedRAMPrequirementsatthemoderateimpactlevel.

FamilyEducationalRightsandPrivacyAct(FERPA)—FERPA(20U.S.C.§1232g;34CFRPart99)isafederallawthatprotectstheprivacyofstudenteducationrecords.ThelawappliestoallschoolsthatreceivefundsunderanapplicableprogramoftheU.S.DepartmentofEducation.FERPAgivesparentscertainrightswithrespectto

theirchildren’seducationrecords.Theserightstransfertothestudentwhenheorshereachestheageof18orattendsaschoolbeyondthehighschoollevel.Studentstowhomtherightshavetransferredare“eligiblestudents.”AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoFERPAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectededucationinformation.

FederalInformationProcessingStandard(FIPS)140–2—FIPSPublication140–2isaUSgovernmentsecuritystandardthatspecifiesthesecurityrequirementsforcryptographicmodulesprotectingsensitiveinformation.TosupportcustomerswithFIPS140–2requirements,SecureSocketsLayer(SSL)terminationsinAWSGovCloud(US)operateusingFIPS140–2-validatedhardware.AWSworkswithAWSGovCloud(US)customerstoprovidetheinformationtheyneedtohelpmanagecompliancewhenusingtheAWSGovCloud(US)environment.

FISMAandDoDInformationAssuranceCertificationandAccreditationProcess(DIACAP)—AWSenablesU.S.governmentagenciestoachieveandsustaincompliancewithFISMA.TheAWSinfrastructurehasbeenevaluatedbyindependentassessorsforavarietyofgovernmentsystemsaspartoftheirsystemowners’approvalprocess.NumerousfederalcivilianandDoDorganizationshavesuccessfullyachievedsecurityauthorizationsforsystemshostedonAWSinaccordancewiththeRiskManagementFramework(RMF)processdefinedinNIST800–37andDIACAP.

HealthInsurancePortabilityandAccountabilityAct(HIPAA)—AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoHIPAAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectedhealthinformation.AWSsignsbusinessassociateagreementswithsuchcustomers.

InformationSecurityRegisteredAssessorsProgram(IRAP)—IRAPenablesAustraliangovernmentcustomerstovalidatethatappropriatecontrolsareinplaceanddeterminetheappropriateresponsibilitymodelforaddressingtheneedsoftheAustralianSignalsDirectorate(ASD)InformationSecurityManual(ISM).AWShascompletedanindependentassessmentthathasdeterminedthatallapplicableISMcontrolsareinplacerelatingtotheprocessing,storage,andtransmissionofUnclassifiedDisseminationLimitingMarker(DLM)workloadsfortheAsiaPacific(Sydney)region.

ISO9001—AWShasachievedISO9001certification.AWSISO9001certificationdirectlysupportscustomerswhodevelop,migrate,andoperatetheirquality-controlledITsystemsintheAWSCloud.CustomerscanleverageAWScompliancereportsasevidencefortheirownISO9001programsandindustry-specificqualityprograms,suchasGoodLaboratory,Clinical,orManufacturingPractices(GxP)inlifesciences,ISO13485inmedicaldevices,AS9100inaerospace,andISOTechnicalSpecification(ISO/TS)16949intheautomotiveindustry.AWScustomerswhodon’thavequalitysystemrequirementscanstillbenefitfromtheadditionalassuranceandtransparencythatanISO9001certificationprovides.

ISO27001—AWShasachievedISO27001certificationoftheInformationSecurityManagementSystem(ISMS)coveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.

ISO27017—ISO27017isthenewestcodeofpracticereleasedbyISO.Itprovidesimplementationguidanceoninformationsecuritycontrolsthatspecificallyrelateto

cloudservices.AWShasachievedISO27017certificationoftheISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.

ISO27018—Thisisthefirstinternationalcodeofpracticethatfocusesonprotectionofpersonaldatainthecloud.ItisbasedonISOinformationsecuritystandard27002,anditprovidesimplementationguidanceonISO27002controlsapplicabletopubliccloud-relatedPersonallyIdentifiableInformation(PII).ItalsoprovidesasetofcontrolsandassociatedguidanceintendedtoaddresspubliccloudPIIprotectionrequirementsnotaddressedbytheexistingISO27002controlset.AWShasachievedISO27018certificationoftheAWSISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.

U.S.InternationalTrafficinArmsRegulations(ITAR)—TheAWSGovCloud(US)regionsupportsITARcompliance.AsapartofmanagingacomprehensiveITARcomplianceprogram,companiessubjecttoITARexportregulationsmustcontrolunintendedexportsbyrestrictingaccesstoprotecteddatatoU.S.personsandrestrictingphysicallocationofthatdatatotheU.S.AWSGovCloud(US)providesanenvironmentphysicallylocatedintheUnitedStateswhereaccessbyAWSpersonnelislimitedtoU.S.persons,therebyallowingqualifiedcompaniestotransmit,process,andstoreprotectedarticlesanddatasubjecttoITARrestrictions.TheAWSGovCloud(US)environmenthasbeenauditedbyanindependentthirdpartytovalidatethatthepropercontrolsareinplacetosupportcustomerexportcomplianceprogramsforthisrequirement.

MotionPictureAssociationofAmerica(MPAA)—MPAAhasestablishedasetofbestpracticesforsecurelystoring,processing,anddeliveringprotectedmediaandcontent.Mediacompaniesusethesebestpracticesasawaytoassessriskandsecurityoftheircontentandinfrastructure.AWShasdemonstratedalignmentwiththeMPAAbestpractices,andtheAWSinfrastructureiscompliantwithallapplicableMPAAinfrastructurecontrols.WhileMPAAdoesnotofferacertification,mediaindustrycustomerscanusetheAWSMPAAdocumentationtoaugmenttheirriskassessmentandevaluationofMPAA-typecontentonAWS.

Multi-TierCloudSecurity(MTCS)Tier3Certification—MTCSisanoperationalSingaporesecuritymanagementstandard(SPRINGSS584:2013)basedontheISO27001/02ISMSstandards.

NIST—InJune2015,NISTreleasedguideline800–171,FinalGuidelinesforProtectingSensitiveGovernmentInformationHeldbyContractors.ThisguidanceisapplicabletotheprotectionofControlledUnclassifiedInformation(CUI)onnon-federalsystems.AWSisalreadycompliantwiththeseguidelines,andcustomerscaneffectivelycomplywithNIST800–171immediately.NIST800–171outlinesasubsetoftheNIST800–53requirements,aguidelineunderwhichAWShasalreadybeenauditedundertheFedRAMPprogram.TheFedRAMPmoderatesecuritycontrolbaselineismorerigorousthantherecommendedrequirementsestablishedinNIST800–171,anditincludesasignificantnumberofsecuritycontrolsaboveandbeyondthoserequiredofFISMAmoderatesystemsthatprotectCUIdata.

PCIDSSLevel1—AWSisLevel1-compliantunderPCIDSS.Customerscanrun

applicationsontheAWSPCI-complianttechnologyinfrastructureforstoring,processing,andtransmittingcreditcardinformationinthecloud.InFebruary2013,thePCISecurityStandardsCouncilreleasedthePCIDSScloudcomputingguidelines.TheseguidelinesprovidecustomerswhoaremanagingacardholderdataenvironmentwithconsiderationsformaintainingPCIDSScontrolsinthecloud.AWShasincorporatedthePCIDSScloudcomputingguidelinesintotheAWSPCIcompliancepackageforcustomers.

SOC1/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE3402)—AWSpublishesaSOC1,TypeIIreport.TheauditforthisreportisconductedinaccordancewithAICPA:AT801(formerlyStatementonStandardsforAttestationEngagementsNo.16[SSAE16])andISAE3402).Thisdual-standardreportisintendedtomeetabroadrangeoffinancialauditingrequirementsforU.S.andinternationalauditingbodies.TheSOC1reportauditatteststhatAWScontrolobjectivesareappropriatelydesignedandthattheindividualcontrolsdefinedtosafeguardcustomerdataareoperatingeffectively.ThisreportisthereplacementoftheSAS70,TypeIIauditreport.

SOC2—InadditiontotheSOC1report,AWSpublishesaSOC2,TypeIIreport.SimilartoSOC1intheevaluationofcontrols,theSOC2reportisanattestationreportthatexpandstheevaluationofcontrolstothecriteriasetforthbyAICPAtrustservicesprinciples.Theseprinciplesdefineleadingpracticecontrolsrelevanttosecurity,availability,processingintegrity,confidentiality,andprivacyapplicabletoserviceorganizationssuchasAWS.TheAWSSOC2isanevaluationofthedesignandoperatingeffectivenessofAWScontrolsthatmeetthecriteriaforthesecurityandavailabilityprinciplessetforthintheAICPAtrustservicesprinciplescriteria.ThereportprovidesadditionaltransparencyintoAWSsecurityandavailabilitybasedonapredefinedindustrystandardofleadingpracticesandfurtherdemonstratesAWScommitmenttoprotectingcustomerdata.TheSOC2reportscopecoversthesameservicescoveredintheSOC1report.

SOC3—AWSpublishesaSOC3report.TheSOC3reportisapubliclyavailablesummaryoftheAWSSOC2report.Thereportincludestheexternalauditor’sopinionoftheoperationofcontrols(basedontheAICPAsecuritytrustprinciplesincludedintheSOC2report),theassertionfromAWSmanagementregardingtheeffectivenessofcontrols,andanoverviewofAWSinfrastructureandservices.TheAWSSOC3reportincludesallAWSdatacentersworldwidethatsupportin-scopeservices.ThisisagreatresourceforcustomerstovalidatethatAWShasobtainedexternalauditorassurancewithoutgoingthroughtheprocessofrequestingaSOC2report.TheSOC3reportcoversthesameservicescoveredintheSOC1report.

SummaryAWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughthefollowingmechanisms:

Obtainingindustrycertificationsandindependentthird-partyattestations

PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs

Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)

Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestothephysicalinfrastructure,andthecustomermanagesthesecontrolsfortheguestoperatingsystemsandupward(dependingontheservice).

Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(on-premises,cloud,orhybrid).BydeployingtotheAWSCloud,customershavedifferentoptionsforapplyingdifferenttypesofcontrolsandvariousverificationmethodsthatalignwiththeirbusinessrequirements.

ThecontrolenvironmentforAWScontainsalargevolumeofinformation.Thisinformationisprovidedtocustomersthroughwhitepapers,reports,certifications,andotherthird-partyattestations.AWSprovidesITcontrolinformationtocustomersintwoways:specificcontroldefinitionandgeneralcontrolstandardcompliance.

AWSprovidesdocumentationaboutitsriskandcomplianceprogram.ThisdocumentationcanenablecustomerstoincludeAWScontrolsintheirgovernanceframeworks.Thethreecoreareasoftheriskandcomplianceprogramareriskmanagement,controlenvironment,andinformationsecurity.

AWShasachievedanumberofinternationallyrecognizedcertificationsandaccreditationsthatdemonstrateAWScompliancewiththird-partyassuranceframeworks,including:

FedRAMP

FIPS140–2

FISMAandDIACAP

HIPAA

ISO9001

ISO27001

ITAR

PCIDSSLevel1

SOC1/ISAE3402

SOC2

SOC3

AWSisconstantlylisteningtocustomersandexaminingothercertificationsforthefuture.

ExamEssentialsUnderstandthesharedresponsibilitymodel.Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestophysicalinfrastructure.

RememberthatITgovernanceisthecustomer’sresponsibility.Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowitsITisdeployed(on-premises,cloud,orhybrid).

UnderstandhowAWSprovidescontrolinformation.AWSprovidesITcontrolinformationtocustomersintwoways:viaspecificcontroldefinitionandthroughamoregeneralcontrolstandardcompliance.

RememberthatAWSisveryproactiveaboutriskmanagement.AWStakesriskmanagementveryseriously,soithasdevelopedabusinessplantoidentifyanyrisksandtoimplementcontrolstomitigateormanagethoserisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandthenimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.

Rememberthatthecontrolenvironmentisnotjustabouttechnology.TheAWScontrolenvironmentconsistsofpolicies,processes,andcontrolactivities.Thiscontrolenvironmentincludespeople,processes,andtechnology.

Rememberthekeyreports,certifications,andthird-partyattestations.Thekeyreports,certifications,andthird-partyattestationsinclude,butarenotlimitedto,thefollowing:

FedRAMP

FIPS140–2

FISMAandDIACAP

HIPAA

ISO9001

ISO27001

ITAR

PCIDSSLevel1

SOC1/ISAE3402

SOC2

SOC3

ReviewQuestions1. AWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughavarietyofdifferentmechanisms.Whichofthefollowingarevalidmechanisms?(Choose3answers)

A. Obtainingindustrycertificationsandindependentthird-partyattestations

B. PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs

C. Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)

D. Allowingcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,andseniorstaff

2. WhichofthefollowingstatementsistruewhenitcomestotheAWSsharedresponsibilitymodel?

A. Thesharedresponsibilitymodelislimitedtosecurityconsiderationsonly;itdoesnotextendtoITcontrols.

B. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithSOC1TypeII.

C. Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.

D. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithISO27001.

3. AWSprovidesITcontrolinformationtocustomersinwhichofthefollowingways?

A. Byusingspecificcontroldefinitionsorthroughgeneralcontrolstandardcompliance

B. ByusingspecificcontroldefinitionsorthroughSAS70

C. ByusinggeneralcontrolstandardcomplianceandbycomplyingwithISO27001

D. BycomplyingwithISO27001andSOC1TypeII

4. Whichofthefollowingisavalidreport,certification,orthird-partyattestationforAWS?(Choose3answers)

A. SOC1

B. PCIDSSLevel1

C. SOC4

D. ISO27001

5. Whichofthefollowingstatementsistrue?

A. ITgovernanceisstillthecustomer’sresponsibility,despitedeployingtheirITestateontotheAWSplatform.

B. TheAWSplatformisPCIDSS-complianttoLevel1.Customerscandeploytheirwebapplicationstothisplatform,andtheywillbePCIDSS-compliantautomatically.

C. ThesharedresponsibilitymodelappliestoITsecurityonly;itdoesnotrelatetogovernance.

D. AWSdoesn’ttakeriskmanagementveryseriously,andit’suptothecustomertomitigateriskstotheAWSinfrastructure.

6. WhichofthefollowingstatementsistruewhenitcomestotheriskandcomplianceadvantagesoftheAWSenvironment?

A. WorkloadsmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations.

B. ThecriticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthenon-criticalcomponentsdonot.

C. Thenon-criticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthecriticalcomponentsdonot.

D. Few,many,orallcomponentsofaworkloadcanbemovedtotheAWSCloud,butitisthecustomer’sresponsibilitytoensurethattheirentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.

7. WhichofthefollowingstatementsbestdescribesanAvailabilityZone?

A. EachAvailabilityZoneconsistsofasinglediscretedatacenterwithredundantpowerandnetworking/connectivity.

B. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithredundantpowerandnetworking/connectivity.

C. EachAvailabilityZoneconsistsofmultiplediscreteregions,eachwithasingledatacenterwithredundantpowerandnetworking/connectivity.

D. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithsharedpowerandredundantnetworking/connectivity.

8. WithregardtovulnerabilityscansandthreatassessmentsoftheAWSplatform,whichofthefollowingstatementsaretrue?(Choose2answers)

A. AWSregularlyperformsscansofpublic-facingendpointIPaddressesforvulnerabilities.

B. ScansperformedbyAWSincludecustomerinstances.

C. AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.

D. Customerscanperformtheirownscansatanytimewithoutadvancenotice.

9. WhichofthefollowingbestdescribestheriskandcompliancecommunicationresponsibilitiesofcustomerstoAWS?

A. AWSandcustomersbothcommunicatetheirsecurityandcontrolenvironment

informationtoeachotheratalltimes.

B. AWSpublishesinformationabouttheAWSsecurityandcontrolpracticesonline,anddirectlytocustomersunderNDA.CustomersdonotneedtocommunicatetheiruseandconfigurationstoAWS.

C. CustomerscommunicatetheiruseandconfigurationstoAWSatalltimes.AWSdoesnotcommunicateAWSsecurityandcontrolpracticestocustomersforsecurityreasons.

D. BothcustomersandAWSkeeptheirsecurityandcontrolpracticesentirelyconfidentialanddonotsharetheminordertoensurethegreatestsecurityforallparties.

10. Whenitcomestoriskmanagement,whichofthefollowingistrue?

A. AWSdoesnotdevelopastrategicbusinessplan;riskmanagementandmitigationisentirelytheresponsibilityofthecustomer.

B. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandimplementedcontrolstomitigateormanagethoserisks.Customersdonotneedtodevelopandmaintaintheirownriskmanagementplans.

C. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandhasimplementedcontrolstomitigateormanagethoserisks.Customersshouldalsodevelopandmaintaintheirownriskmanagementplanstoensuretheyarecompliantwithanyrelevantcontrolsandcertifications.

D. NeitherAWSnorthecustomerneedstoworryaboutriskmanagement,sonoplanisneededfromeitherparty.

11. TheAWScontrolenvironmentisinplaceforthesecuredeliveryofAWSCloudserviceofferings.WhichofthefollowingdoesthecollectivecontrolenvironmentNOTexplicitlyinclude?

A. People

B. Energy

C. Technology

D. Processes

12. WhoisresponsiblefortheconfigurationofsecuritygroupsinanAWSenvironment?

A. ThecustomerandAWSarebothjointlyresponsibleforensuringthatsecuritygroupsarecorrectlyandsecurelyconfigured.

B. AWSisresponsibleforensuringthatallsecuritygroupsarecorrectlyandsecurelyconfigured.Customersdonotneedtoworryaboutsecuritygroupconfiguration.

C. NeitherAWSnorthecustomerisresponsiblefortheconfigurationofsecuritygroups;securitygroupsareintelligentlyandautomaticallyconfiguredusingtrafficheuristics.

D. AWSprovidesthesecuritygroupfunctionalityasaservice,butthecustomerisresponsibleforcorrectlyandsecurelyconfiguringtheirownsecuritygroups.

13. WhichofthefollowingisNOTarecommendedapproachforcustomerstryingtoachievestrongcomplianceandgovernanceoveranentireITcontrolenvironment?

A. Takeaholisticapproach:reviewinformationavailablefromAWStogetherwithallotherinformation,anddocumentallcompliancerequirements.

B. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.

C. Implementgenericcontrolobjectivesthatarenotspecificallydesignedtomeettheirorganization’scompliancerequirements.

D. Identifyanddocumentcontrolsownedbyallthirdparties.

Chapter14ArchitectureBestPracticesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems




Planninganddesign

Familiaritywith:


HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)


IntroductionForseveralyears,softwarearchitectshavecreatedandimplementedpatternsandbestpracticestobuildhighlyscalableapplications.Whethermigratingexistingapplicationstothecloudorbuildingnewapplicationsonthecloud,theseconceptsareevenmoreimportantbecauseofever-growingdatasets,unpredictabletrafficpatterns,andthedemandforfasterresponsetimes.

MigratingapplicationstoAWS,evenwithoutsignificantchanges,providesorganizationswiththebenefitsofasecuredandcost-efficientinfrastructure.Tomakethemostoftheelasticityandagilitypossiblewithcloudcomputing,however,SolutionsArchitectsneedtoevolvetheirarchitecturestotakefulladvantageofAWScapabilities.

Fornewapplications,AWScustomershavebeendiscoveringcloud-specificITarchitecturepatternsthatdriveevenmoreefficiencyandscalabilityfortheirsolutions.Thosenewarchitecturescansupportanythingfromreal-timeanalyticsofInternet-scaledatatoapplicationswithunpredictabletrafficfromthousandsofconnectedInternetofThings(IoT)ormobiledevices.ThisleavesendlesspossibilitiesforapplicationsarchitectedusingAWSbestpractices.

ThischapterhighlightsthetenetsofarchitecturebestpracticestoconsiderwhetheryouaremigratingexistingapplicationstoAWSordesigningnewapplicationsforthecloud.Thesetenetsinclude:

Designforfailureandnothingwillfail.

Implementelasticity.

Leveragedifferentstorageoptions.

Buildsecurityineverylayer.

Thinkparallel.

Loosecouplingsetsyoufree.

Don’tfearconstraints.

Understandingtheservicescoveredinthisbookinthecontextofthesepracticesiskeytosucceedingontheexam.

DesignforFailureandNothingFailsThefirstarchitecturebestpracticeforAWSisthefundamentalprincipleofdesigningforfailure.

Everythingfails,allthetime

—WernerVogels,CTO,AWS

Typically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.Asanexample,onegoalwhendesigningforfailurewouldbetoensureanapplicationsurviveswhentheunderlyingphysicalhardwareforoneoftheserversfails.

Let’stakealookatthesimplewebapplicationillustratedinFigure14.1.Thisapplicationhassomefundamentaldesignissuesforprotectingagainstcomponentfailures.Tostart,thereisnoredundancyorfailover,whichresultsinsinglepointsoffailure.

FIGURE14.1Simplewebapplicationarchitecture

Ifthesinglewebserverfails,thesystemfails.

Ifthesingledatabasefails,thesystemfails.

IftheAvailabilityZone(AZ)fails,thesystemfails.

Bottomline,therearetoomanyeggsinonebasket.

Nowlet’swalkthroughtransformingthissimpleapplicationintoamoreresilientarchitecture.Tobegin,wearegoingtoaddressthesinglepointsoffailureinthecurrentarchitecture.Singlepointsoffailurecanberemovedbyintroducingredundancy,whichishavingmultipleresourcesforthesametask.Redundancycanbeimplementedineitherstandbyoractivemode.

Instandbyredundancywhenaresourcefails,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Thesecondaryresourcecaneitherbelaunchedautomaticallyonlywhenneeded(toreducecost),oritcanbealreadyrunningidle(toacceleratefailoverandminimizedisruption).Standbyredundancyisoftenusedforstatefulcomponentssuchasrelationaldatabases.

Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,itcanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.

Toaddresstheredundancyissues,wewilladdanotherwebinstanceandaddastandbyinstanceforAmazonRelationalDatabaseService(AmazonRDS)toprovidehighavailabilityandautomaticfailover.ThekeyisthatwearegoingtoaddthenewresourcesinanotherAZ.AnAZconsistsofoneormorediscretedatacenters.AZswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherAZsinthesameregion.Thisallowsourapplicationtoreplicatedataacrossdatacentersinasynchronousmannersothatfailovercanbeautomatedandbetransparentfortheusers.

Additionally,wearegoingtoimplementactiveredundancybyswappingouttheElasticIPAddress(EIP)onourwebinstancewithanElasticLoadBalancer(ELB).TheELBallowsinboundrequeststobedistributedbetweenthewebinstances.NotonlywilltheELBhelpwithdistributingloadbetweenmultipleinstances,itwillalsostopsendingtraffictotheaffectedwebnodeifaninstancefailsitshealthchecks.Figure14.2showstheupdatedarchitecturewithredundancyforthewebapplication.

FIGURE14.2Updatedwebapplicationarchitecturewithredundancy

ThisMulti-AZarchitecturehelpstoensurethattheapplicationisisolatedfromfailuresinasingleAvailabilityZone.Infact,manyofthehigherlevelservicesonAWSareinherentlydesignedaccordingtotheMulti-AZprinciple.Forexample,AmazonSimpleStorageService(AmazonS3)andAmazonDynamoDBensurethatdataisredundantlystoredacrossmultiplefacilities.

Oneruleofthumbtokeepinmindwhendesigningarchitecturesinthecloudistobeapessimist;thatis,assumethingswillfail.Inotherwords,alwaysdesign,implement,anddeployforautomatedrecoveryfromfailure.

ImplementElasticityElasticityistheabilityofasystemtogrowtohandleincreasedload,whethergraduallyovertimeorinresponsetoasuddenchangeinbusinessneeds.Toachieveelasticity,itisimportantthatthesystembebuiltonascalablearchitecture.Sucharchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Thesearchitecturesshouldprovidescaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.

ScalingVerticallyVerticalscalingtakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddrive,morememory,orafasterCPU).OnAmazonElasticComputeCloud(AmazonEC2),thiscaneasilybeachievedbystoppinganinstanceandresizingittoaninstancetypethathasmoreRAM,CPU,I/O,ornetworkingcapabilities.Verticalscalingwilleventuallyhitalimit,anditisnotalwaysacost-efficientorhighlyavailableapproach.Evenso,itisveryeasytoimplementandcanbesufficientformanyusecases,especiallyintheshortterm.

ScalingHorizontallyHorizontalscalingtakesplacethroughanincreaseinthenumberofresources(forexample,addingmoreharddrivestoastoragearrayoraddingmoreserverstosupportanapplication).ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Notallarchitecturesaredesignedtodistributetheirworkloadtomultipleresources,anditisimportanttounderstandsystemcharacteristicsthatcanaffectasystem’sabilitytoscalehorizontally.Onekeycharacteristicistheimpactofstatelessandstatefularchitectures.

StatelessApplicationsWhenusersorservicesinteractwithanapplication,theywilloftenperformaseriesofinteractionsthatformasession.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontally,becauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.Becausenosessiondataneedstobesharedbetweensystemresources,computeresourcescanbeaddedasneeded.Whenexcesscapacityisnolongerrequired,anyindividualresourcecanbesafelyterminated.Thoseresourcesdonotneedtobeawareofthepresenceoftheirpeers;allthatisrequiredisawaytodistributetheworkloadtothem.

Let’sassumethatthewebapplicationweusedintheprevioussectionisastatelessapplicationwithunpredictabledemand.Inorderforourwebinstancestomeetthepeaksandvalleysassociatedwithourdemandprofile,weneedtoscaleelastically.Agreatwayto

introduceelasticityandhorizontalscalingisbyleveragingAutoScalingforwebinstances.AnAutoScalinggroupcanautomaticallyaddAmazonEC2instancestoanapplicationinresponsetoheavytrafficandremovethemwhentrafficslows.Figure14.3showsourwebapplicationarchitectureaftertheintroductionofanAutoScalinggroup.

FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling

StatelessComponentsInpractice,mostapplicationsneedtomaintainsomekindofstateinformation.Forexample,webapplicationsneedtotrackwhetherauserissignedin,orelsetheymightpresentpersonalizedcontentbasedonpreviousactions.Youcanstillmakeaportionofthesearchitecturesstatelessbynotstoringstateinformationlocallyonahorizontally-scalingresource,asthoseresourcescanappearanddisappearasthesystemscalesupanddown.

Forexample,webapplicationscanuseHTTPcookiestostoreinformationaboutasessionattheclient’sbrowser(suchasitemsintheshoppingcart).Thebrowserpassesthatinformationbacktotheserverateachsubsequentrequestsothattheapplicationdoesnotneedtostoreit.However,therearetwodrawbackswiththisapproach.First,thecontentoftheHTTPcookiescanbetamperedwithattheclientside,soyoushouldalwaystreatthemasuntrusteddatathatneedstobevalidated.Second,HTTPcookiesaretransmittedwitheveryrequest,whichmeansthatyoushouldkeeptheirsizetoaminimumtoavoidunnecessary

latency.

ConsideronlystoringauniquesessionidentifierinaHTTPcookieandstoringmoredetailedusersessioninformationserver-side.Mostprogrammingplatformsprovideanativesessionmanagementmechanismthatworksthisway;however,thesemanagementmechanismsoftenstorethesessioninformationlocallybydefault.Thiswouldresultinastatefularchitecture.Acommonsolutiontothisproblemistostoreusersessioninformationinadatabase.AmazonDynamoDBisagreatchoiceduetoitsscalability,highavailability,anddurabilitycharacteristics.Formanyplatforms,thereareopensource,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.

StatefulComponentsInevitably,therewillbelayersofyourarchitecturethatyouwon’tturnintostatelesscomponents.First,bydefinition,databasesarestateful.Inaddition,manylegacyapplicationsweredesignedtorunonasingleserverbyrelyingonlocalcomputeresources.Otherusecasesmightrequireclientdevicestomaintainaconnectiontoaspecificserverforprolongedperiodsoftime.Forexample,real-timemultiplayergamingmustoffermultipleplayersaconsistentviewofthegameworldwithverylowlatency.Thisismuchsimplertoachieveinanon-distributedimplementationwhereparticipantsareconnectedtothesameserver.

DeploymentAutomationWhetheryouaredeployinganewenvironmentfortestingorincreasingcapacityofanexistingsystemtocopewithextraload,youwillnotwanttosetupnewresourcesmanuallywiththeirconfigurationandcode.Itisimportantthatyoumakethisanautomatedandrepeatableprocessthatavoidslongleadtimesandisnotpronetohumanerror.Automatingthedeploymentprocessandstreamliningtheconfigurationandbuildprocessiskeytoimplementingelasticity.Thiswillensurethatthesystemcanscalewithoutanyhumanintervention.

AutomateYourInfrastructureOneofthemostimportantbenefitsofusingacloudenvironmentistheabilitytousethecloud’sApplicationProgramInterfaces(APIs)toautomateyourdeploymentprocess.Itisrecommendedthatyoutakethetimetocreateanautomateddeploymentprocessearlyonduringthemigrationprocessandnotwaituntiltheend.Creatinganautomatedandrepeatabledeploymentprocesswillhelpreduceerrorsandfacilitateanefficientandscalableupdateprocess.

BootstrapYourInstancesWhenyoulaunchanAWSresourcelikeanAmazonEC2instance,youstartwithadefaultconfiguration.YoucanthenexecuteautomatedbootstrappingactionsasdescribedinChapter3,“AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS).”Letyourinstancesaskaquestionatboot:“WhoamIandwhatismyrole?”Everyinstanceshouldhavearoletoplayintheenvironment(suchasdatabaseserver,applicationserver,orslaveserverinthecaseofawebapplication).RolesmaybeappliedduringlaunchandcaninstructtheAMIonthestepstotakeafterithasbooted.Onboot,aninstanceshouldgrabthenecessaryresources(forexample,code,scripts,orconfiguration)basedontherole

and“attach”itselftoaclustertoserveitsfunction.

Benefitsofbootstrappingyourinstancesinclude:

Recreateenvironments(forexample,development,staging,production)withfewclicksandminimaleffort.

Maintainmorecontroloveryourabstract,cloud-basedresources.

Reducehuman-induceddeploymenterrors.

Createaself-healingandself-discoverableenvironmentthatismoreresilienttohardwarefailure.

Designingintelligentelasticcloudarchitectures,whereinfrastructurerunsonlywhenyouneedit,isanart.AsaSolutionsArchitect,elasticityshouldbeoneofthefundamentaldesignrequirementswhendefiningyourarchitectures.Herearesomequestionstokeepinmindwhendesigningcloudarchitectures:

Whatcomponentsorlayersinmyapplicationarchitecturecanbecomeelastic?

Whatwillittaketomakethatcomponentelastic?

Whatwillbetheimpactofimplementingelasticitytomyoverallsystemarchitecture?

LeverageDifferentStorageOptionsAWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Forexample,serviceslikeAmazonElasticBlockStorage(AmazonEBS),AmazonS3,AmazonRDS,andAmazonCloudFrontprovideawiderangeofchoicestomeetdifferentstorageneeds.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.

OneSizeDoesNotFitAllYourworkloadandusecaseshoulddictatewhatstorageoptiontoleverageinAWS.Noonestorageoptionissuitableforallsituations.Table14.1providesalistofsomestoragescenariosandwhichAWSstorageoptionyoushouldconsidertomeettheidentifiedneed.Thistableisnotmeanttobeanall-encompassingcaptureofscenarios,butanexampleguide.

TABLE14.1StorageScenariosandAWSStorageOptions

SampleScenario StorageOption

Yourwebapplicationneedslarge-scalestoragecapacityandperformance.

-or- AmazonS3

Youneedcloudstoragewithhighdatadurabilitytosupportbackupandactivearchivesfordisasterrecovery.

Yourequirecloudstoragefordataarchivingandlong-termbackup. AmazonGlacier

Yourequireacontentdeliverynetworktodeliverentirewebsites,includingdynamic,static,streaming,andinteractivecontentusingaglobalnetworkofedgelocations.

AmazonCloudFront

YourequireafastandflexibleNoSQLdatabasewithaflexibledatamodelandreliableperformance.

AmazonDynamoDB

Youneedreliableblockstoragetorunmission-criticalapplicationssuchasOracle,SAP,MicrosoftExchange,andMicrosoftSharePoint.

AmazonEBS

Youneedahighlyavailable,scalable,andsecureMySQLdatabasewithoutthetime-consumingadministrativetasks.

AmazonRDS

Youneedafast,powerful,fully-managed,petabyte-scaledatawarehousetosupportbusinessanalyticsofyoure-commerceapplication.

AmazonRedshift

YouneedaRedisclustertostoresessioninformationforyourwebapplication.

AmazonElastiCache

YouneedacommonfilesystemforyourapplicationthatissharedbetweenmorethanoneAmazonEC2instance.

AmazonElasticFileSystem(AmazonEFS)

Let’sreturntooursamplewebapplicationarchitectureandshowhowdifferentstorageoptionscanbeleveragedtooptimizecostandarchitecture.WecanstartbymovinganystaticassetsfromourwebinstancestoAmazonS3,andthenservethoseobjectsviaAmazon

CloudFront.Thesestaticassetswouldincludealloftheimages,videos,CSS,JavaScript,andanyotherheavystaticcontentthatiscurrentlydeliveredviathewebinstances.ByservingthesefilesviaanAmazonS3originwithglobalcachinganddistributionviaAmazonCloudFront,theloadwillbereducedonthewebinstancesandallowthewebtierfootprinttobereduced.Figure14.4showstheupdatedarchitectureforoursamplewebapplication.

FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront

Tofurtheroptimizeourstorageoptions,thesessioninformationforoursamplewebapplicationcanbemovedtoAmazonDynamoDBoreventoAmazonElastiCache.Forourscenario,wewilluseAmazonDynamoDBtostorethesessioninformationbecausetheAWSSoftwareDevelopmentKits(SDK)provideconnectorsformanypopularwebdevelopmentframeworksthatmakestoringsessioninformationinAmazonDynamoDBeasy.Byremovingsessionstatefromourwebtier,thewebinstancesdonotlosesessioninformationwhenhorizontalscalingfromAutoScalinghappens.Additionally,wewillleverageAmazonElastiCachetostorecommondatabasequeryresults,therebytakingtheloadoffofourdatabasetier.Figure14.5showstheadditionofAmazonElastiCacheandAmazonDynamoDBtoourwebapplicationarchitecture.

FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB

AsaSolutionsArchitect,youwillultimatelycometoapointwhereyouneedtodecideanddefinewhatyourstoragerequirementsareforthedatathatyouneedtostoreonAWS.Thereareavarietyofoptionstochoosefromdependingonyourneeds,eachwithdifferentattributesrangingfromdatabasestorage,blockstorage,highlyavailableobject-basedstorage,andevencoldarchivalstorage.Ultimately,yourworkloadrequirementswilldictatewhichstorageoptionmakessenseforyourusecase.

BuildSecurityinEveryLayerWithtraditionalIT,infrastructuresecurityauditingwouldoftenbeaperiodicandmanualprocess.TheAWSCloudinsteadprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.

BestPractice

Inventoryyourdata,prioritizeitbyvalue,andapplytheappropriatelevelofencryptionforthedataintransitandatrest.

MostofthesecuritytoolsandtechniqueswithwhichyoumightalreadybefamiliarinatraditionalITinfrastructurecanbeusedinthecloud.Atthesametime,AWSallowsyoutoimproveyoursecurityinavarietyofways.AWSisaplatformthatallowsyoutoformalizethedesignofsecuritycontrolsintheplatformitself.ItsimplifiessystemuseforadministratorsandthoserunningITandmakesyourenvironmentmucheasiertoauditinacontinuousmanner.

UseAWSFeaturesforDefenseinDepthAWSprovidesawealthoffeaturesthathelpSolutionsArchitectsbuilddefenseindepth.Startingatthenetworklevel,youcanbuildanAmazonVirtualPrivateCloud(AmazonVPC)topologythatisolatespartsoftheinfrastructurethroughtheuseofsubnets,securitygroups,androutingcontrols.ServiceslikeAWSWebApplicationFirewall(AWSWAF)canhelpprotectyourwebapplicationsfromSQLinjectionandothervulnerabilitiesinyourapplicationcode.Foraccesscontrol,youcanuseAWSIdentityandAccessManagement(IAM)todefineagranularsetofpoliciesandassignthemtousers,groups,andAWSresources.Finally,theAWSplatformoffersabreadthofoptionsforprotectingdatawithencryption,whetherthedataisintransitoratrest.

UnderstandingthesecurityfeaturesofferedbyAWSisimportantfortheexam,anditiscoveredindetailinChapter12,“SecurityonAWS.”

OffloadSecurityResponsibilitytoAWSAWSoperatesunderasharedresponsibilitymodel,whereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andyouareresponsibleforsecuringtheworkloadsyoudeployonAWS.Thisway,youcanreducethescopeofyourresponsibilityandfocusonyourcorecompetenciesthroughtheuseofAWSmanagedservices.Forexample,whenyou

usemanagedservicessuchasAmazonRDS,AmazonElastiCache,AmazonCloudSearch,andothers,securitypatchesbecometheresponsibilityofAWS.Thisnotonlyreducesoperationaloverheadforyourteam,butitcouldalsoreduceyourexposuretovulnerabilities.

ReducePrivilegedAccessAnothercommonsourceofsecurityriskistheuseofserviceaccounts.Inatraditionalenvironment,serviceaccountswouldoftenbeassignedlong-termcredentialsstoredinaconfigurationfile.OnAWS,youcaninsteaduseIAMrolestograntpermissionstoapplicationsrunningonAmazonEC2instancesthroughtheuseoftemporarysecuritytokens.Thosecredentialsareautomaticallydistributedandrotated.Formobileapplications,theuseofAmazonCognitoallowsclientdevicestogetcontrolledaccesstoAWSresourcesviatemporarytokens.ForAWSManagementConsoleusers,youcansimilarlyprovidefederatedaccessthroughtemporarytokensinsteadofcreatingIAMusersinyourAWSaccount.Inthatway,anemployeewholeavesyourorganizationandisremovedfromyourorganization’sidentitydirectorywillalsoloseaccesstoyourAWSaccount.

BestPractice

Followthestandardsecuritypracticeofgrantingleastprivilege—thatis,grantingonlythepermissionsrequiredtoperformatask—toIAMusers,groups,roles,andpolicies.

SecurityasCodeTraditionalsecurityframeworks,regulations,andorganizationalpoliciesdefinesecurityrequirementsrelatedtothingssuchasfirewallrules,networkaccesscontrols,internal/externalsubnets,andoperatingsystemhardening.YoucanimplementtheseinanAWSenvironmentaswell,butyounowhavetheopportunitytocapturethemallinascriptthatdefinesa“GoldenEnvironment.”ThismeansthatyoucancreateanAWSCloudFormationscriptthatcapturesandreliablydeploysyoursecuritypolicies.Securitybestpracticescannowbereusedamongmultipleprojectsandbecomepartofyourcontinuousintegrationpipeline.Youcanperformsecuritytestingaspartofyourreleasecycleandautomaticallydiscoverapplicationgapsanddriftfromyoursecuritypolicies.

Additionally,forgreatercontrolandsecurity,AWSCloudFormationtemplatescanbeimportedas“products”intoAWSServiceCatalog.Thisenablescentralizedmanagementofresourcestosupportconsistentgovernance,security,andcompliancerequirementswhileenablinguserstodeployquicklyonlytheapprovedITservicestheyneed.YouapplyIAMpermissionstocontrolwhocanviewandmodifyyourproducts,andyoudefineconstraintstorestrictthewaysthatspecificAWSresourcescanbedeployedforaproduct.

Real-TimeAuditingTestingandauditingyourenvironmentiskeytomovingfastwhilestayingsafe.Traditionalapproachesthatinvolveperiodic(andoftenmanualorsample-based)checksarenotsufficient,especiallyinagileenvironmentswherechangeisconstant.OnAWS,youcanimplementcontinuousmonitoringandautomationofcontrolstominimizeexposuretosecurityrisks.ServiceslikeAWSConfigRules,AmazonInspector,andAWSTrustedAdvisor

continuallymonitorforcomplianceorvulnerabilitiesgivingyouaclearoverviewofwhichITresourcesareorarenotincompliance.WithAWSConfigRules,youwillalsoknowifsomecomponentwasoutofcomplianceevenforabriefperiodoftime,makingbothpoint-in-timeandperiod-in-timeauditsveryeffective.YoucanimplementextensiveloggingforyourapplicationsusingAmazonCloudWatchLogsandfortheactualAWSAPIcallsbyenablingAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallstosupportedAWSCloudservicesinyourAWSaccountandcreatesalogfile.AWSCloudTraillogsarestoredinanimmutablemannertoanAmazonS3bucketofyourchoice.Theselogscanthenbeautomaticallyprocessedeithertonotifyoreventakeactiononyourbehalf,protectingyourorganizationfromnon-compliance.YoucanuseAWSLambda,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,orthird-partytoolsfromtheAWSMarketplacetoscanlogstodetectthingslikeunusedpermissions,overuseofprivilegedaccounts,usageofkeys,anomalouslogins,policyviolations,andsystemabuse.

WhileAWSprovidesanexcellentservicemanagementlayeraroundinfrastructureorplatformservices,organizationsarestillresponsibleforprotectingtheconfidentiality,integrity,andavailabilityoftheirdatainthecloud.AWSprovidesarangeofsecurityservicesandarchitecturalconceptsthatorganizationscanusetomanagesecurityoftheirassetsanddatainthecloud.

ThinkParallelThecloudmakesparallelizationeffortless.Whetheritisrequestingdatafromthecloud,storingdatatothecloud,orprocessingdatainthecloud,asaSolutionsArchitectyouneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.

Whenitcomestoaccessing(retrievingandstoring)data,thecloudisdesignedtohandlemassivelyparalleloperations.Inordertoachievemaximumperformanceandthroughput,youshouldleveragerequestparallelization.Multi-threadingyourrequestsbyusingmultipleconcurrentthreadswillstoreorfetchthedatafasterthanrequestingitsequentially.Hence,ageneralbestpracticefordevelopingcloudapplicationsistodesigntheprocessesforleveragingmulti-threading.

Whenitcomestoprocessingorexecutingrequestsinthecloud,itbecomesevenmoreimportanttoleverageparallelization.Ageneralbestpractice,inthecaseofawebapplication,istodistributetheincomingrequestsacrossmultipleasynchronouswebserversusingaloadbalancer.Inthecaseofabatchprocessingapplication,youcanleverageamasternodewithmultipleslaveworkernodesthatprocessestasksinparallel(asindistributedprocessingframeworkslikeHadoop).

Thebeautyofthecloudshineswhenyoucombineelasticityandparallelization.YourcloudapplicationcanbringupaclusterofcomputeinstancesthatareprovisionedwithinminuteswithjustafewAPIcalls,performajobbyexecutingtasksinparallel,storetheresults,andthenterminatealloftheinstances.

LooseCouplingSetsYouFreeAsapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.

BestPractice

Designsystemarchitectureswithindependentcomponentsthatare“blackboxes.”Themorelooselysystemcomponentsarecoupled,thelargertheyscale.

Awaytoreduceinterdependenciesinasystemistoallowthevariouscomponentstointeractwitheachotheronlythroughspecific,technology-agnosticinterfaces(suchasRESTfulAPIs).Inthisway,thetechnicalimplementationdetailsarehiddensothatteamscanmodifytheunderlyingimplementationwithoutaffectingothercomponents.Aslongasthoseinterfacesmaintainbackwardcompatibility,thedifferentcomponentsthatanoverallsystemiscomprisedofremaindecoupled.

AmazonAPIGatewayprovidesawaytoexposewell-definedinterfaces.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.IthandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.

Asynchronousintegrationisacommonpatternforimplementingloosecouplingbetweenservices.Thismodelissuitableforanyinteractionthatdoesnotneedanimmediateresponseandwhereanacknowledgementthatarequesthasbeenregisteredwillsuffice.Itinvolvesonecomponentthatgenerateseventsandanotherthatconsumesthem.Thetwocomponentsdonotintegratethroughdirectpoint-to-pointinteraction,butusuallythroughanintermediatedurablestoragelayer,suchasanAmazonSimpleQueueService(AmazonSQS)queueorastreamingdataplatformlikeAmazonKinesis.Figure14.6showsthelogicalflowfortightandlooselycoupledarchitectures.

FIGURE14.6Tightandloosecoupling

Leveragingasynchronousintegrationdecouplesthetwocomponentsandintroducesadditionalresiliency.Forexample,ifaprocessthatisreadingmessagesfromthequeuefails,messagescanstillbeaddedtothequeuetobeprocessedwhenthesystemrecovers.Italsoallowsyoutoprotectalessscalableback-endservicefromfront-endspikesandfindtherighttradeoffbetweencostandprocessinglag.Forexample,youcandecidethatyoudon’tneedtoscaleyourdatabasetoaccommodateforanoccasionalpeakofwritequeriesifyoueventuallyprocessthosequeriesasynchronouslywithsomedelay.Finally,bymovingslowoperationsoffofinteractiverequestpaths,youcanalsoimprovetheend-userexperience.

SampleLooselyCoupledArchitecture

Acompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Theserviceprovidesenduserswithaneasy-to-usewebsitetosubmitvideosfortranscoding.ThevideosarestoredinAmazonS3,andamessage(“therequestmessage”)isplacedinanAmazonSQSqueue(“theincomingqueue”)withapointertothevideoandtothetargetvideoformatinthemessage.Thetranscodingengine,runningonasetofAmazonEC2instances,readstherequestmessagefromtheincomingqueue,retrievesthevideofromAmazonS3usingthepointer,andtranscodesthevideointothetargetformat.TheconvertedvideoisputbackintoAmazonS3andanothermessage(“theresponsemessage”)isplacedinanotherAmazonSQSqueue(“theoutgoingqueue”)withapointertotheconvertedvideo.Atthesametime,metadataaboutthevideo(suchasformat,datecreated,andlength)canbeindexedintoAmazonDynamoDBforeasyquerying.Duringthiswholeworkflow,adedicatedAmazonEC2instancecanconstantlymonitortheincomingqueueand,basedonthenumberofmessagesintheincomingqueue,candynamicallyadjustthenumberoftranscodingAmazonEC2instancestomeetcustomers’responsetimerequirements.

Applicationsthataredeployedasasetofsmallerserviceswilldependontheabilityofthoseservicestointeractwitheachother.Becauseeachofthoseservicescouldberunningacrossmultiplecomputeresources,thereneedstobeawayforeachservicetobeaddressed.Forexample,inatraditionalinfrastructure,ifyourfront-endwebserviceneededtoconnectwithyourback-endwebservice,youcouldhardcodetheIPaddressofthecomputeresourcewherethisservicewasrunning.Althoughthisapproachcanstillworkoncloudcomputing,ifthoseservicesaremeanttobelooselycoupled,theyshouldbeabletobeconsumedwithoutpriorknowledgeoftheirnetworktopologydetails.Apartfromhidingcomplexity,thisalsoallowsinfrastructuredetailstochangeatanytime.Inordertoachievethisagility,youwillneedsomewayofimplementingservicediscovery.Servicediscoverymanageshowprocessesandservicesinanenvironmentcanfindandtalktooneanother.Itinvolvesadirectoryofservices,registeringservicesinthatdirectory,andthenbeingabletolookupandconnecttoservicesinthatdirectory.

Loosecouplingisacrucialelementifyouwanttotakeadvantageoftheelasticityofcloudcomputing,wherenewresourcescanbelaunchedorterminatedatanypointintime.Byarchitectingsystemcomponentswithouttightdependenciesoneachother,applicationsarepositionedtotakefulladvantageofthecloud’sscale.

Don’tFearConstraintsWhenorganizationsdecidetomoveapplicationstothecloudandtrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveonpremises.Forexample,observationsmayinclude“ClouddoesnotprovideXamountofRAMinaserver”or“MydatabaseneedstohavemoreIOPSthanwhatIcangetinasingleinstance.”

Youshouldunderstandthatthecloudprovidesabstractresourcesthatbecomepowerfulwhenyoucombinethemwiththeon-demandprovisioningmodel.Youshouldnotbeafraidandconstrainedwhenusingcloudresourcesbecauseevenifyoumightnotgetanexactreplicaofyouron-premiseshardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.

Whenyoupushupagainstaconstraint,thinkaboutwhatit’stellingyouaboutapossibleunderlyingarchitecturalissue.Forexample,ifAWSdoesnothaveanAmazonRDSinstancetypewithenoughRAM,considerwhetheryouhaveinadvertentlytrappedyourselfinascale-upparadigm.ConsiderchangingtheunderlyingtechnologyandusingascalabledistributedcachelikeAmazonElastiCacheorshardingyourdataacrossmultipleservers.Ifitisaread-heavyapplication,youcandistributethereadloadacrossafleetofsynchronizedslaves.

Organizationsarechallengedwithdeveloping,managing,andoperatingapplicationsatscalewithawidevarietyofunderlyingtechnologycomponents.WithtraditionalITinfrastructure,companieswouldhavetobuildandoperateallofthosecomponents.Whilethesecomponentsmaynotmapdirectlyintoacloudenvironment,AWSoffersabroadsetofcomplementaryservicesthathelporganizationsovercometheseconstraintsandtosupportagilityandlowerITcosts.

OnAWS,thereisasetofmanagedservicesthatprovidesbuildingblocksfordeveloperstoleverageforpoweringtheirapplications.Thesemanagedservicesincludedatabases,machinelearning,analytics,queuing,search,email,notifications,andmore.Forexample,withAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.ThesameappliestoAmazonS3,whereyoucanstoreasmuchdataasrequiredandaccessitwhenneededwithouthavingtothinkaboutcapacity,harddiskconfigurations,replication,andotherhardware-basedconsiderations.

TherearemanyotherexamplesofmanagedservicesonAWS,suchasAmazonCloudFrontforcontentdelivery,ElasticLoadBalancingforloadbalancing,AmazonDynamoDBforNoSQLdatabases,AmazonCloudSearchforsearchworkloads,AmazonElasticTranscoderforvideoencoding,AmazonSimpleEmailService(AmazonSES)forsendingandreceivingemails,andmore.

ArchitecturesthatdonotleveragethebreadthofAWSCloudservices(forexample,theyuseonlyAmazonEC2)mightbeself-constrainingtheabilitytomakethemostofcloudcomputing.Thisoversightoftenleadstomissingkeyopportunitiestoincreasedeveloperproductivityandoperationalefficiency.Whenorganizationscombineon-demandprovisioning,managedservices,andtheinherentflexibilityofthecloud,theyrealizethatapparentconstraintscanactuallybebrokendowninwaysthatwillactuallyimprovethe

scalabilityandoverallperformanceoftheirsystems.

SummaryTypically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.

Traditionalinfrastructuregenerallynecessitatespredictingtheamountofcomputingresourcesyourapplicationwilluseoveraperiodofseveralyears.Ifyouunderestimate,yourapplicationswillnothavethehorsepowertohandleunexpectedtraffic,potentiallyresultingincustomerdissatisfaction.Ifyouoverestimate,you’rewastingmoneywithsuperfluousresources.Theon-demandandelasticnatureofthecloudenablestheinfrastructuretobecloselyalignedwiththeactualdemand,therebyincreasingoverallutilizationandreducingcost.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.

TheAWSCloudprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.

BecauseAWSmakesparallelizationeffortless,SolutionsArchitectsneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.

Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.SolutionsArchitectsshoulddesignsystemsinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.

Whenorganizationstrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveon-premises.Organizationsshouldnotbeafraidandfeelconstrainedwhenusingcloudresources.Evenifyoumightnotgetanexactreplicaofyourhardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.

Byfocusingonconceptsandbestpractices—likedesigningforfailure,decouplingtheapplicationcomponents,understandingandimplementingelasticity,combiningitwithparallelization,andintegratingsecurityineveryaspectoftheapplicationarchitecture—SolutionsArchitectscanunderstandthedesignconsiderationsnecessaryforbuildinghighlyscalablecloudapplications.

Aseachusecaseisunique,SolutionsArchitectsneedtoremaindiligentinevaluatinghowbestpracticesandpatternscanbeappliedtoeachimplementation.Thetopicofcloudcomputingarchitecturesisbroadandcontinuouslyevolving.

ExamEssentialsUnderstandhighlyavailablearchitectures.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.

Understandredundancy.Redundancycanbeimplementedineitherstandbyoractivemode.Whenaresourcefailsinstandbyredundancy,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,activeredundancycanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.

Understandelasticity.Elasticarchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Itisimportanttobuildelasticsystemsontopofascalablearchitecture.Thesearchitecturesshouldscaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.

Understandverticalscaling.Scalingverticallytakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddriveorafasterCPU).Thiswayofscalingcaneventuallyhitalimit,anditisnotalwaysacostefficientorhighlyavailableapproach.

Understandhorizontalscaling.Scalinghorizontallytakesplacethroughanincreaseinthenumberofresources.ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Itisimportanttounderstandtheimpactofstatelessandstatefularchitecturesbeforeimplementinghorizontalscaling.

Understandstatelessapplications.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontallybecauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.

Understandloosecoupling.Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedas“blackboxes”toreduceinterdependenciessothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.Themorelooselysystemcomponentsarecoupled,thelargertheyscale.

UnderstandthedifferentstorageoptionsinAWS.AWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.

ExercisesInthissection,youwillimplementaresilientapplicationleveragingsomeofthebestpracticesoutlinedinthischapter.YouwillbuildthearchitecturedepictedinFigure14.7inthefollowingseriesofexercises.

FIGURE14.7Samplewebapplicationforchapterexercises

Forassistanceincompletingthefollowingexercises,referencethefollowinguserguides:

AmazonVPC—http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/

GetStarted.html

AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

AmazonRDS(MySQL)—http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html

EXERCISE14.1

CreateaCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateanAmazonVPCwithaClasslessInter-DomainRouting(CIDR)blockequalto192.168.0.0/16,anametagofCh14—VPC,anddefaulttenancy.

EXERCISE14.2

CreateanInternetGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.


3. CreateanInternetgatewaywithanametagofCh14–IGW.

4. AttachtheCh14–IGWInternetgatewaytotheAmazonVPCfromExercise14.1.

EXERCISE14.3

UpdatetheMainRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetoAmazonVPCconsole.

3. LocatethemainroutetablefortheAmazonVPCfromExercise14.1.

4. UpdatetheroutetablenametagtoavalueofCh14—MainRouteTable.

5. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheInternetgatewayfromExercise14.2.

EXERCISE14.4

CreatePublicSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.


3. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofCh14—PublicSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).

4. CreateasubnetwithaCIDRblockequalto192.168.3.0/24andanametagofCh14—PublicSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnetthatisdifferentfromtheonepreviouslyspecified(forexample,US-East-1b).

EXERCISE14.5

CreateaNATGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.


3. CreateaNetworkAddressTranslation(NAT)gatewayintheAmazonVPCfromExercise14.1withintheCh14—PublicSubnet1subnetfromExercise14.4.

EXERCISE14.6

CreateaPrivateRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.


3. CreatearoutetablefortheAmazonVPCfromExercise14.1withanametagofCh14—PrivateRouteTable.

4. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheNATgatewayfromExercise14.5.

EXERCISE14.7

CreatePrivateSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.


3. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofCh14—PrivateSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet1(forexample,US-East-1a).

4. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.

5. CreateasubnetwithaCIDRblockequalto192.168.4.0/24andanametagofCh14—PrivateSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet2(forexample,US-East-1b).

6. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.

EXERCISE14.8

CreateSecurityGroupsforEachApplicationTier1. LogintotheAWSManagementConsole.


3. CreateanAmazonVPCsecuritygroupfortheELBwithanametagandgrouptabofCh14-ELB-SGandadescriptionofLoadbalancersecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceof0.0.0.0/0.

4. CreateanAmazonVPCsecuritygroupforthewebserverswithanametagandgrouptabofCh14-WebServer-SGandadescriptionofWebserversecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceoftheCh14-ELB-SGsecuritygroup.YoumaywanttoaddanotherinboundruleofTypeSSH,aprotocolofTCP,aportrangeof22,andasourceofyourIPaddresstoprovidesecureaccesstomanagetheservers.

5. CreateanAmazonVPCsecuritygroupfortheAmazonRDSMySQLdatabasewithanametagandgrouptabofCh14-DB-SGandadescriptionofDatabasesecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeMYSQL/Aurora,aprotocolofTCP,aportrangeof3306,andasourceoftheCh14-WebServer-SGsecuritygroup.

EXERCISE14.9

CreateaMySQLMulti-AZAmazonRDSInstance1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonRDSconsole.

3. CreateaDBsubnetgroupwithanameofCh14-SubnetGroupandadescriptionofSubnetgroupforCh14exercises.CreatetheDBsubnetgroupintheAmazonVPCfromExercise14.1withtheprivatesubnetsfromExercise14.7.

4. LaunchaMySQLAmazonRDSinstancewiththefollowingcharacteristics:

DBInstanceClass:db.t2.small

Multi-AZDeployment:yes

AllocatedStorage:nolessthan5GB

DBInstanceIdentifier:ch14db

MasterUserName:yourchoice

MasterPassword:yourchoice

VPC:theAmazonVPCfromExercise14.1

DBSecurityGroup:Ch14-SubnetGroup

PubliclyAccessible:No

VPCSecurityGroup:Ch14-DB-SG

DatabaseName:appdb

DatabasePort:3306

EXERCISE14.10

CreateanElasticLoadBalancer(ELB)1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonEC2console.

3. CreateanELBwithaloadbalancernameofCh14-WebServer-ELB.CreatetheELBintheAmazonVPCfromExercise14.1withalistenerconfigurationofthefollowing:

LoadBalancerProtocol:HTTP

LoadBalancerPort:80

InstanceProtocol:HTTP

InstancePort:80

4. AddthepublicsubnetscreatedinExercise14.4.

5. AssigntheexistingsecuritygroupofCh14-ELB-SGcreatedinExercise14.8.

6. ConfigurethehealthcheckwithapingprotocolofHTTP,apingportof80,andapingpathof/index.html.

7. AddatagwithakeyofNameandvalueofCh14-WebServer-ELB.

8. UpdatetheELBportconfigurationtoenableload-balancergeneratedcookiestickinesswithanexpirationperiodof30seconds.

EXERCISE14.11

CreateaWebServerAutoScalingGroup1. LogintotheAWSManagementConsole.


3. CreatealaunchconfigurationforthewebserverAutoScalinggroupwiththefollowingcharacteristics:

AMI:latestAmazonLinuxAMI

InstanceType:t2.small

Name:Ch14-WebServer-LC

Userdata:

#!/bin/bash

yumupdate–y

yuminstall-yphp

yuminstall-yphp-mysql

yuminstall-ymysql

yuminstall-yhttpd

echo"<html><body><h1>poweredbyAWS</h1></body></html>">

/var/www/html/index.html

servicehttpdstart

SecurityGroup:Ch14-WebServer-SG

KeyPair:existingornewkeypairforyouraccount

4. CreateanAutoScalinggroupforthewebserversfromthelaunchconfigurationCh14-WebServer-LCwithagroupnameofCh14-WebServer-AG.CreatetheAutoScalinggroupintheAmazonVPCfromExercise14.1withthepublicsubnetscreatedinExercise14.4andagroupsizeof2.

5. AssociatetheloadbalancerCh14-WebServer-ELBcreatedinExercise14.10totheAutoScalinggroup.

6. AddanametagwithakeyofNameandvalueofCh14-WebServer-AGtotheAutoScalinggroup.

Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnoteligibleforAWSFreeTier.HostingazoneonAmazonRoute53willcostapproximately$0.50permonthperhostedzone,andadditionalchargeswillbelevieddependingonwhatroutingpolicyyouchoose.FormoreinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.

http://aws.amazon.com/route53/pricing/

EXERCISE14.12

CreateaRoute53HostedZone1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonRoute53consoleandcreateahostedzone.

3. Enteryourdomainnameandcreateyournewzonefile.

4. Inthenewzonefile,youwillseetheStartofAuthority(SOA)recordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsiteandupdatethenameserverswithyourAWSnameservers.

IftheregistrarhasamethodtochangetheTimeToLive(TTL)settingsfortheirnameservers,itisrecommendedthatyouresetthesettingsto900seconds.Thislimitsthetimeduringwhichclientrequestswilltrytoresolvedomainnamesusingobsoletenameservers.YouwillneedtowaitforthedurationofthepreviousTTLforresolversandclientstostopcachingtheDNSrecordswiththeirpreviousvalues.

5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.

EXERCISE14.13

CreateanAliasARecord1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonRoute53console.

3. SelectyourRoute53hostedzonecreatedinExercise14.12.CreatearecordsetwithanameofwwwandatypeofA—IPv4Address.

4. CreateanaliaswithanaliastargetoftheELBCh14-WebServer-ELBcreatedinExercise14.10andleaveyourroutingpolicyassimple.

EXERCISE14.14

TestYourConfiguration1. LogintotheAWSManagementConsole.


3. VerifythattheELBcreatedinExercise14.11has2of2instancesinservice.

4. Inawebbrowser,navigatetothewebfarm(www.example.com)usingtheHostedZoneArecordcreatedinExercise14.13.YoushouldseethepoweredbyAWSonthewebpage.


ReviewQuestions1. Whendesigningalooselycoupledsystem,whichAWSservicesprovideanintermediatedurablestoragelayerbetweencomponents?(Choose2answers)

A. AmazonCloudFront

B. AmazonKinesis

C. AmazonRoute53


E. AmazonSimpleQueueService(AmazonSQS)

2. Whichofthefollowingoptionswillhelpincreasetheavailabilityofawebserverfarm?(Choose2answers)

A. UseAmazonCloudFronttodelivercontenttotheenduserswithlowlatencyandhighdatatransferspeeds.

B. LaunchthewebserverinstancesacrossmultipleAvailabilityZones.

C. LeverageAutoScalingtorecoverfromfailedinstances.

D. DeploytheinstancesinanAmazonVirtualPrivateCloud(AmazonVPC).

E. AddmoreCPUandRAMtoeachinstance.

3. WhichofthefollowingAWSCloudservicesaredesignedaccordingtotheMulti-AZprinciple?(Choose2answers)

A. AmazonDynamoDB

B. AmazonElastiCache

C. ElasticLoadBalancing

D. AmazonVirtualPrivateCloud(AmazonVPC)

E. AmazonSimpleStorageService(AmazonS3)

4. Youre-commercesitewasdesignedtobestatelessandcurrentlyrunsonafleetofAmazonElasticComputeCloud(AmazonEC2)instances.Inanefforttocontrolcostandincreaseavailability,youhavearequirementtoscalethefleetbasedonCPUandnetworkutilizationtomatchthedemandcurveforyoursite.Whatservicesdoyouneedtomeetthisrequirement?(Choose2answers)

A. AmazonCloudWatch

B. AmazonDynamoDB

C. ElasticLoadBalancing

D. AutoScaling

E. AmazonSimpleStorageService(AmazonS3)

5. YourcompliancedepartmenthasmandatedanewrequirementthatalldataonAmazon

ElasticBlockStorage(AmazonEBS)volumesmustbeencrypted.WhichofthefollowingstepswouldyoufollowforyourexistingAmazonEBSvolumestocomplywiththenewrequirement?(Choose3answers)

A. MovetheexistingAmazonEBSvolumeintoanAmazonVirtualPrivateCloud(AmazonVPC).

B. CreateanewAmazonEBSvolumewithencryptionenabled.

C. ModifytheexistingAmazonEBSvolumepropertiestoenableencryption.

D. AttachanAmazonEBSvolumewithencryptionenabledtotheinstancethathoststhedata,thenmigratethedatatotheencryption-enabledAmazonEBSvolume.

E. CopythedatafromtheunencryptedAmazonEBSvolumetotheAmazonEBSvolumewithencryptionenabled.

6. WhenbuildingaDistributedDenialofService(DDoS)-resilientarchitecture,howdoesAmazonVirtualPrivateCloud(AmazonVPC)helpminimizetheattacksurfacearea?(Choose3answers)

A. ReducesthenumberofnecessaryInternetentrypoints

B. Combinesendusertrafficwithmanagementtraffic

C. ObfuscatesnecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem

D. Addsnon-criticalInternetentrypointstothearchitecture

E. ScalesthenetworktoabsorbDDoSattacks

7. Youre-commerceapplicationprovidesdailyandadhocreportingtovariousbusinessunitsoncustomerpurchases.ThisisresultinginanextremelyhighlevelofreadtraffictoyourMySQLAmazonRelationalDatabaseService(AmazonRDS)instance.Whatcanyoudotoscaleupreadtrafficwithoutimpactingyourdatabase’sperformance?

A. IncreasetheallocatedstoragefortheAmazonRDSinstance.

B. ModifytheAmazonRDSinstancetobeaMulti-AZdeployment.

C. CreateareadreplicaforanAmazonRDSinstance.

D. ChangetheAmazonRDSinstanceDBengineversion.

8. YourwebsiteishostedonafleetofwebserversthatareloadbalancedacrossmultipleAvailabilityZonesusinganElasticLoadBalancer(ELB).WhattypeofrecordsetinAmazonRoute53canbeusedtopointmyawesomeapp.comtoyourwebsite?

A. TypeAAliasresourcerecordset

B. MXrecordset

C. TXTrecordset

D. CNAMErecordset

9. YouneedasecurewaytodistributeyourAWScredentialstoanapplicationrunningonAmazonElasticComputeCloud(AmazonEC2)instancesinordertoaccess

supplementaryAWSCloudservices.Whatapproachprovidesyourapplicationaccesstouseshort-termcredentialsforsigningrequestswhileprotectingthosecredentialsfromotherusers?

A. AddyourcredentialstotheUserDataparameterofeachAmazonEC2instance.

B. UseaconfigurationfiletostoreyouraccessandsecretkeysontheAmazonEC2instances.

C. Specifyyouraccessandsecretkeysdirectlyinyourapplication.

D. ProvisiontheAmazonEC2instanceswithaninstanceprofilethathastheappropriateprivileges.

10. YouarerunningasuiteofmicroservicesonAWSLambdathatprovidethebusinesslogicandaccesstodatastoredinAmazonDynamoDBforyourtaskmanagementsystem.Youneedtocreatewell-definedRESTfulApplicationProgramInterfaces(APIs)forthesemicroservicesthatwillscalewithtraffictosupportanewmobileapplication.WhatAWSCloudservicecanyouusetocreatethenecessaryRESTfulAPIs?

A. AmazonKinesis

B. AmazonAPIGateway

C. AmazonCognito

D. AmazonElasticComputeCloud(AmazonEC2)ContainerRegistry

11. YourWordPresswebsiteishostedonafleetofAmazonElasticComputeCloud(AmazonEC2)instancesthatleverageAutoScalingtoprovidehighavailability.ToensurethatthecontentoftheWordPresssiteissustainedthroughscaleupandscaledownevents,youneedacommonfilesystemthatissharedbetweenmorethanoneAmazonEC2instance.WhichAWSCloudservicecanmeetthisrequirement?

A. AmazonCloudFront

B. AmazonElastiCache

C. AmazonElasticFileSystem(AmazonEFS)

D. AmazonElasticBeanstalk

12. YouarechangingyourapplicationtomovesessionstateinformationofftheindividualAmazonElasticComputeCloud(AmazonEC2)instancestotakeadvantageoftheelasticityandcostbenefitsprovidedbyAutoScaling.WhichofthefollowingAWSCloudservicesisbestsuitedasanalternativeforstoringsessionstateinformation?

A. AmazonDynamoDB

B. AmazonRedshift

C. AmazonStorageGateway

D. AmazonKinesis

13. Amediasharingapplicationisproducingaveryhighvolumeofdatainaveryshortperiodoftime.Yourback-endservicesareunabletomanagethelargevolumeoftransactions.Whatoptionprovidesawaytomanagetheflowoftransactionstoyour

back-endservices?

A. StoretheinboundtransactionsinanAmazonRelationalDatabaseService(AmazonRDS)instancesothatyourback-endservicescanretrievethemastimepermits.

B. UseanAmazonSimpleQueueService(AmazonSQS)queuetobuffertheinboundtransactions.

C. UseanAmazonSimpleNotificationService(AmazonSNS)topictobuffertheinboundtransactions.

D. StoretheinboundtransactionsinanAmazonElasticMapReduce(AmazonEMR)clustersothatyourback-endservicescanretrievethemastimepermits.

14. WhichofthefollowingarebestpracticesformanagingAWSIdentityandAccessManagement(IAM)useraccesskeys?(Choose3answers)

A. Embedaccesskeysdirectlyintoapplicationcode.

B. Usedifferentaccesskeysfordifferentapplications.

C. Rotateaccesskeysperiodically.

D. Keepunusedaccesskeysforanindefiniteperiodoftime.

E. ConfigureMulti-FactorAuthentication(MFA)foryourmostsensitiveoperations.

15. YouneedtoimplementaservicetoscanApplicationProgramInterface(API)callsandrelatedevents’historytoyourAWSaccount.Thisservicewilldetectthingslikeunusedpermissions,overuseofprivilegedaccounts,andanomalouslogins.WhichofthefollowingAWSCloudservicescanbeleveragedtoimplementthisservice?(Choose3answers)

A. AWSCloudTrail

B. AmazonSimpleStorageService(AmazonS3)

C. AmazonRoute53

D. AutoScaling

E. AWSLambda

16. Governmentregulationsrequirethatyourcompanymaintainallcorrespondenceforaperiodofsevenyearsforcompliancereasons.Whatisthebeststoragemechanismtokeepthisdatasecureinacost-effectivemanner?

A. AmazonS3

B. AmazonGlacier

C. AmazonEBS

D. AmazonEFS

17. YourcompanyprovidesmediacontentviatheInternettocustomersthroughapaidsubscriptionmodel.YouleverageAmazonCloudFronttodistributecontenttoyourcustomerswithlowlatency.Whatapproachcanyouusetoservethisprivatecontentsecurelytoyourpaidsubscribers?

A. ProvidesignedAmazonCloudFrontURLstoauthenticateduserstoaccessthepaidcontent.

B. UseHTTPSrequeststoensurethatyourobjectsareencryptedwhenAmazonCloudFrontservesthemtoviewers.

C. ConfigureAmazonCloudFronttocompressthemediafilesautomaticallyforpaidsubscribers.

D. UsetheAmazonCloudFrontgeorestrictionfeaturetorestrictaccesstoallofthepaidsubscriptionmediaatthecountrylevel.

18. Yourcompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Whichserviceprovidesthebestoptionforstoringthevideos?

A. AmazonGlacier

B. AmazonSimpleStorageService(AmazonS3)

C. AmazonRelationalDatabaseService(AmazonRDS)

D. AWSStorageGateway

19. AweekbeforeCyberMondaylastyear,yourcorporatedatacenterexperiencedafailedairconditioningunitthatcausedfloodingintotheserverracks.Theresultingoutagecostyourcompanysignificantrevenue.YourCIOmandatedamovetothecloud,butheisstillconcernedaboutcatastrophicfailuresinadatacenter.Whatcanyoudotoalleviatehisconcerns?

A. DistributethearchitectureacrossmultipleAvailabilityZones.

B. UseanAmazonVirtualPrivateCloud(AmazonVPC)withsubnets.

C. Launchthecomputefortheprocessingservicesinaplacementgroup.

D. PurchaseReservedInstancesfortheprocessingservicesinstances.

20. YourAmazonVirtualPrivateCloud(AmazonVPC)includesmultipleprivatesubnets.Theinstancesintheseprivatesubnetsmustaccessthird-partypaymentApplicationProgramInterfaces(APIs)overtheInternet.WhichoptionwillprovidehighlyavailableInternetaccesstotheinstancesintheprivatesubnets?

A. CreateanAWSStorageGatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheAWSStorageGatewayinthesameAvailabilityZone.

B. CreateacustomergatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethecustomergatewayinthesameAvailabilityZone.

C. CreateaNetworkAddressTranslation(NAT)gatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.

D. CreateaNATgatewayinoneAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethatNATgatewayinalltheAvailabilityZones.

AppendixAAnswerstoReviewQuestions

Chapter1:IntroductiontoAWS1. D.AregionisanamedsetofAWSresourcesinthesamegeographicalarea.AregioncomprisesatleasttwoAvailabilityZones.Endpoint,Collection,andFleetdonotdescribeaphysicallocationaroundtheworldwhereAWSclustersdatacenters.

2. A.AnAvailabilityZoneisadistinctlocationwithinaregionthatisinsulatedfromfailuresinotherAvailabilityZonesandprovidesinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.Replicationareas,geographicdistricts,andcomputecentersarenottermsusedtodescribeAWSdatacenterlocations.

3. B.Ahybriddeploymentisawaytoconnectinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.Anall-indeploymentreferstoanenvironmentthatexclusivelyrunsinthecloud.Anon-premisesdeploymentreferstoanenvironmentthatrunsexclusivelyinanorganization’sdatacenter.

4. C.AmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsorganizationsrunonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.AWSIAM,AmazonSNS,andAWSCloudFormationdonotprovidevisibilityintoresourceutilization,applicationperformance,andtheoperationalhealthofyourAWSresources.

5. B.AmazonDynamoDBisafullymanaged,fast,andflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.AmazonSQS,AmazonElastiCache,andAmazonRDSdonotprovideaNoSQLdatabaseservice.AmazonSQSisamanagedmessagequeuingservice.AmazonElastiCacheisaservicethatprovidesin-memorycacheinthecloud.Finally,AmazonRDSprovidesmanagedrelationaldatabases.

6. A.AutoScalinghelpsmaintainapplicationavailabilityandallowsorganizationstoscaleAmazonElasticComputeCloud(AmazonEC2)capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload.NotonlycanitbeusedtohelpensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.AmazonGlacier,AmazonSNS,andAmazonVPCdonotprovideservicestoscalecomputecapacityautomatically.

7. D.AmazonCloudFrontisawebservicethatprovidesaCDNtospeedupdistributionofyourstaticanddynamicwebcontent—forexample,.html,.css,.php,image,andmediafiles—toendusers.AmazonCloudFrontdeliverscontentthroughaworldwidenetworkofedgelocations.AmazonEC2,AmazonRoute53,andAWSStorageGatewaydonotprovideCDNservicesthatarerequiredtomeettheneedsforthephotosharingservice.

8. A.AmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instancesontheAWSCloud.AmazonDynamoDB,AmazonGlacier,andAWSCloudFormationdonotprovidepersistentblock-levelstorageforAmazonEC2instances.AmazonDynamoDBprovidesmanagedNoSQLdatabases.AmazonGlacierprovideslow-costarchivalstorage.AWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.

9. C.AmazonVPCletsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.AmazonSWF,AmazonRoute53,andAWSCloudFormationdonotprovideavirtualnetwork.AmazonSWFhelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonRoute53providesahighlyavailableandscalablecloudDomainNameSystem(DNS)webservice.AmazonCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.

10. B.AmazonSQSisafast,reliable,scalable,fullymanagedmessagequeuingservicethatallowsorganizationstodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.AWSCloudTrailrecordsAWSAPIcalls,andAmazonRedshiftisadatawarehouse,neitherofwhichwouldbeusefulasanarchitecturecomponentfordecouplingcomponents.AmazonSNSprovidesamessagingbuscomplementtoAmazonSQS;however,itdoesn’tprovidethedecouplingofcomponentsnecessaryforthisscenario.

Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage1. D,E.Objectsarestoredinbuckets,andobjectscontainbothdataandmetadata.

2. B,D.AmazonS3cannotbemountedtoanAmazonEC2instancelikeafilesystemandshouldnotserveasprimarydatabasestorage.

3. A,B,D.CandEareincorrect—objectsareprivatebydefault,andstorageinabucketdoesnotneedtobepre-allocated.

4. B,C,E.Staticwebsitehostingdoesnotrestrictdataaccess,andneitherdoesanAmazonS3lifecyclepolicy.

5. C,E.Versioningprotectsdataagainstinadvertentorintentionaldeletionbystoringallversionsoftheobject,andMFADeleterequiresaone-timecodefromaMulti-FactorAuthentication(MFA)devicetodeleteobjects.Cross-regionreplicationandmigrationtotheAmazonGlacierstorageclassdonotprotectagainstdeletion.VaultlocksareafeatureofAmazonGlacier,notafeatureofAmazonS3.

6. C.MigratingthedatatoAmazonS3Standard-IAafter30daysusingalifecyclepolicyiscorrect.AmazonS3RRSshouldonlybeusedforeasilyreplicateddata,notcriticaldata.MigrationtoAmazonGlaciermightminimizestoragecostsifretrievalsareinfrequent,butdocumentswouldnotbeavailableinminuteswhenneeded.

7. B.Dataisautomaticallyreplicatedwithinaregion.Replicationtootherregionsandversioningareoptional.AmazonS3dataisnotbackeduptotape.

8. C.InaURL,thebucketnameprecedesthestring“s3.amazonaws.com/,”andtheobjectkeyiseverythingafterthat.ThereisnofolderstructureinAmazonS3.

9. C.AmazonS3serveraccesslogsstorearecordofwhatrequestoraccessedtheobjectsinyourbucket,includingtherequestingIPaddress.

10. B,C.Cross-regionreplicationcanhelplowerlatencyandsatisfycompliancerequirementsondistance.AmazonS3isdesignedforelevenninesdurabilityforobjectsinasingleregion,soasecondregiondoesnotsignificantlyincreasedurability.Cross-regionreplicationdoesnotprotectagainstaccidentaldeletion.

11. C.IfdatamustbeencryptedbeforebeingsenttoAmazonS3,client-sideencryptionmustbeused.

12. B.AmazonS3scalesautomatically,butforrequestratesover100GETSpersecond,ithelpstomakesurethereissomerandomnessinthekeyspace.Replicationandloggingwillnotaffectperformanceorscalability.Usingsequentialkeynamescouldhaveanegativeeffectonperformanceorscalability.

13. A,D.Youmustenableversioningbeforeyoucanenablecross-regionreplication,andAmazonS3musthaveIAMpermissionstoperformthereplication.Lifecyclerulesmigratedatafromonestorageclasstoanother,notfromonebuckettoanother.Staticwebsitehostingisnotaprerequisiteforreplication.

14. B.AmazonS3isthemostcosteffectivestorageonAWS,andlifecyclepoliciesarea

simpleandeffectivefeaturetoaddressthebusinessrequirements.

15. B,C,E.AmazonS3bucketpoliciescannotspecifyacompanynameoracountryororigin,buttheycanspecifyrequestIPrange,AWSaccount,andaprefixforobjectsthatcanbeaccessed.

16. B,C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).

17. A,B,D.A,B,andDarerequired,andnormallyyoualsosetafriendlyCNAMEtothebucketURL.AmazonS3doesnotsupportFTPtransfers,andHTTPdoesnotneedtobeenabled.

18. B.Pre-signedURLsallowyoutogranttime-limitedpermissiontodownloadobjectsfromanAmazonSimpleStorageService(AmazonS3)bucket.Staticwebhostinggenerallyrequiresworld-readaccesstoallcontent.AWSIAMpoliciesdonotknowwhotheauthenticatedusersofthewebappare.Loggingcanhelptrackcontentloss,butnotpreventit.

19. A,C.AmazonGlacierisoptimizedforlong-termarchivalstorageandisnotsuitedtodatathatneedsimmediateaccessorshort-liveddatathatiserasedwithin90days.

20. C,D,E.AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Archivesareidentifiedbysystem-createdarchiveIDs,notkeynames.

Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)1. C.ReservedInstancesprovidecostsavingswhenyoucancommittorunninginstancesfulltime,suchastohandlethebasetraffic.On-DemandInstancesprovidetheflexibilitytohandletrafficspikes,suchasonthelastdayofthemonth.

2. B.SpotInstancesareaverycost-effectivewaytoaddresstemporarycomputeneedsthatarenoturgentandaretolerantofinterruption.That’sexactlytheworkloaddescribedhere.ReservedInstancesareinappropriatefortemporaryworkloads.On-DemandInstancesaregoodfortemporaryworkloads,butdon’tofferthecostsavingsofSpotInstances.Addingmorequeuesisanon-responsiveanswerasitwouldnotaddresstheproblem.

3. C,D.TheAmazonEC2instanceIDwillbeassignedbyAWSaspartofthelaunchprocess.TheadministratorpasswordisassignedbyAWSandencryptedviathepublickey.TheinstancetypedefinesthevirtualhardwareandtheAMIdefinestheinitialsoftwarestate.Youmustspecifybothuponlaunch.

4. A,C.Youcanchangetheinstancetypeonlywithinthesameinstancetypefamily,oryoucanchangetheAvailabilityZone.Youcannotchangetheoperatingsystemnortheinstancetypefamily.

5. D.Whentherearemultiplesecuritygroupsassociatedwithaninstance,alltherulesareaggregated.

6. A,B,E.Thesearethebenefitsofenhancednetworking.

7. A,B,D.Theotheranswershavenothingtodowithnetworking.

8. C.DedicatedInstanceswillnotsharehostswithotheraccounts.

9. B,C.Instancestoresarelow-durability,high-IOPSstoragethatisincludedforfreewiththehourlycostofaninstance.

10. A,C.TherearenotapesintheAWSinfrastructure.AmazonEBSvolumespersistwhentheinstanceisstopped.ThedataisautomaticallyreplicatedwithinanAvailabilityZone.AmazonEBSvolumescanbeencrypteduponcreationandusedbyaninstanceinthesamemannerasiftheywerenotencrypted.

11. B.Thereisnodelayinprocessingwhencommencingasnapshot.

12. B.Thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.

13. A,C.BandDareincorrectbecauseaninstancestorewillnotbedurableandamagneticvolumeoffersanaverageof100IOPS.AmazonEBS-optimizedinstancesreservenetworkbandwidthontheinstanceforIO,andProvisionedIOPSSSDvolumesprovidethehighestconsistentIOPS.

14. D.Bootstrappingrunstheprovidedscript,soanythingyoucanaccomplishinascriptyoucanaccomplishduringbootstrapping.

15. C.Thepublichalfofthekeypairisstoredontheinstance,andtheprivatehalfcanthenbeusedtoconnectviaSSH.

16. B,C.ThesearethepossibleoutputsofVMImport/Export.

17. B,D.NeithertheWindowsmachinenamenortheAmazonEC2instanceIDcanberesolvedintoanIPaddresstoaccesstheinstance.

18. A.Noneoftheotheroptionswillhaveanyeffectontheabilitytoconnect.

19. C.Ashortperiodofheavytrafficisexactlytheusecasefortheburstingnatureofgeneral-purposeSSDvolumes—therestofthedayismorethanenoughtimetobuildupenoughIOPScreditstohandlethenightlytask.Instancestoresarenotdurable,magneticvolumescannotprovideenoughIOPS,andtosetupaProvisionedIOPSSSDvolumetohandlethepeakwouldmeanspendingmoneyformoreIOPSthanyouneed.

20. B.ThereisaverysmallhourlychargeforallocatedelasticIPaddressesthatarenotassociatedwithaninstance.

Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)1. C.TheminimumsizesubnetthatyoucanhaveinanAmazonVPCis/28.

2. C.Youneedtwopublicsubnets(oneforeachAvailabilityZone)andtwoprivatesubnets(oneforeachAvailabilityZone).Therefore,youneedfoursubnets.

3. A.NetworkACLsareassociatedtoaVPCsubnettocontroltrafficflow.

4. A.ThemaximumsizesubnetthatyoucanhaveinaVPCis/16.

5. D.BycreatingarouteouttotheInternetusinganIGW,youhavemadethissubnetpublic.

6. A.WhenyoucreateanAmazonVPC,aroutetableiscreatedbydefault.YoumustmanuallycreatesubnetsandanIGW.

7. C.WhenyouprovisionanAmazonVPC,allsubnetscancommunicatewitheachotherbydefault.

8. A.YoumayonlyhaveoneIGWforeachAmazonVPC.

9. B.Securitygroupsarestateful,whereasnetworkACLsarestateless.

10. C.Youshoulddisablesource/destinationchecksontheNAT.

11. B,E.IntheEC2-Classicnetwork,theEIPwillbedisassociatedwiththeinstance;intheEC2-VPCnetwork,theEIPremainsassociatedwiththeinstance.Regardlessoftheunderlyingnetwork,astop/startofanAmazonEBS-backedAmazonEC2instancealwayschangesthehostcomputer.

12. D.SixVPCPeeringconnectionsareneededforeachofthefourVPCstosendtraffictotheother.

13. B.ADHCPoptionsetallowscustomerstodefineDNSserversforDNSnameresolution,establishdomainnamesforinstanceswithinanAmazonVPC,defineNTPservers,anddefinetheNetBIOSnameservers.

14. D.ACGWisthecustomersideofaVPNconnection,andanIGWconnectsanetworktotheInternet.AVPGistheAmazonsideofaVPNconnection.

15. A.ThedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregionis5.

16. B.NetworkACLrulescandenytraffic.

17. D.IPsecisthesecurityprotocolsupportedbyAmazonVPC.

18. D.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATdevice,VPNconnection,orAWSDirectConnect.

19. A,C.TheCIDRblockisspecifieduponcreationandcannotbechanged.AnAmazonVPCisassociatedwithexactlyoneregionwhichmustbespecifieduponcreation.YoucanaddasubnettoanAmazonVPCanytimeafterithasbeencreated,provideditsaddressrangefallswithintheAmazonVPCCIDRblockanddoesnotoverlapwiththeaddressrangeof

anyexistingCIDRblock.YoucansetuppeeringrelationshipsbetweenAmazonVPCsaftertheyhavebeencreated.

20. B.AttachinganENIassociatedwithadifferentsubnettoaninstancecanmaketheinstancedual-homed.

Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling1. A,D.AnAutoScalinggroupmusthaveaminimumsizeandalaunchconfigurationdefinedinordertobecreated.Healthchecksandadesiredcapacityareoptional.

2. B.Theloadbalancermaintainstwoseparateconnections:oneconnectionwiththeclientandoneconnectionwiththeAmazonEC2instance.

3. D.AmazonCloudWatchmetricdataiskeptfor2weeks.

4. A.Onlythelaunchconfigurationname,AMI,andinstancetypeareneededtocreateanAutoScalinglaunchconfiguration.Identifyingakeypair,securitygroup,andablockdevicemappingareoptionalelementsforanAutoScalinglaunchconfiguration.

5. B.YoucanusetheAmazonCloudWatchLogsAgentinstalleronexistingAmazonEC2instancestoinstallandconfiguretheCloudWatchLogsAgent.

6. C.Youconfigureyourloadbalancertoacceptincomingtrafficbyspecifyingoneormorelisteners.

7. D.ThedefaultAmazonEC2instancelimitforallregionsis20.

8. A.AnSSLcertificatemustspecifythenameofthewebsiteineitherthesubjectnameorlistedasavalueintheSANextensionofthecertificateinorderforconnectingclientstonotreceiveawarning.

9. C.WhenAmazonEC2instancesfailtherequisitenumberofconsecutivehealthchecks,theloadbalancerstopssendingtraffictotheAmazonEC2instance.

10. D.AmazonCloudWatchmetricsprovidehypervisorvisiblemetrics.

11. C.AutoScalingisdesignedtoscaleoutbasedonaneventlikeincreasedtrafficwhilebeingcosteffectivewhennotneeded.

12. B.AutoScalingwillprovidehighavailabilityacrossthreeAvailabilityZoneswiththreeAmazonEC2instancesineachandkeepcapacityabovetherequiredminimumcapacity,evenintheeventofanentireAvailabilityZonebecomingunavailable.

13. B,E,F.AutoScalingrespondstochangingconditionsbyaddingorterminatinginstances,launchesinstancesfromanAMIspecifiedinthelaunchconfigurationassociatedwiththeAutoScalinggroup,andenforcesaminimumnumberofinstancesinthemin-sizeparameteroftheAutoScalinggroup.

14. D.A,B,andCarealltruestatementsaboutlaunchconfigurationsbeinglooselycoupledandreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup.

15. A,C.AnAutoScalinggroupmayuseOn-DemandandSpotInstances.AnAutoScalinggroupmaynotusealreadystoppedinstances,instancesrunningsomeplaceotherthanAWS,andalreadyrunninginstancesnotstartedbytheAutoScalinggroupitself.

16. A,F.AmazonCloudWatchhastwoplans:basic,whichisfree,anddetailed,whichhasanadditionalcost.ThereisnoadhocplanforAmazonCloudWatch.

17. A,C,D.AnElasticLoadBalancinghealthcheckmaybeaping,aconnectionattempt,orapagethatischecked.

18. B,C.Whenconnectiondrainingisenabled,theloadbalancerwillstopsendingrequeststoaderegisteredorunhealthyinstanceandattempttocompletein-flightrequestsuntilaconnectiondrainingtimeoutperiodisreached,whichis300secondsbydefault.

19. B,E,F.ElasticLoadBalancingsupportsInternet-facing,internal,andHTTPSloadbalancers.

20. B,D,E.AutoScalingsupportsmaintainingthecurrentsizeofanAutoScalinggroupusingfourplans:maintaincurrentlevels,manualscaling,scheduledscaling,anddynamicscaling.

Chapter6:AWSIdentityandAccessManagement(IAM)1. B,C.Programmaticaccessisauthenticatedwithanaccesskey,notwithusernames/passwords.IAMrolesprovideatemporarysecuritytokentoanapplicationusinganSDK.

2. A,C.IAMpoliciesareindependentofregion,sonoregionisspecifiedinthepolicy.IAMpoliciesareaboutauthorizationforanalready-authenticatedprincipal,sonopasswordisneeded.

3. A,B,C,E.Lockingdownyourrootuserandallaccountstowhichtheadministratorhadaccessisthekeyhere.DeletingallIAMaccountsisnotnecessary,anditwouldcausegreatdisruptiontoyouroperations.AmazonEC2rolesusetemporarysecuritytokens,sorelaunchingAmazonEC2instancesisnotnecessary.

4. B,D.IAMcontrolsaccesstoAWSresourcesonly.InstallingASP.NETwillrequireWindowsoperatingsystemauthorization,andqueryinganOracledatabasewillrequireOracleauthorization.

5. A,C.AmazonDynamoDBglobalsecondaryindexesareaperformancefeatureofAmazonDynamoDB;ConsolidatedBillingisanaccountingfeatureallowingallbillstorollupunderasingleaccount.Whilebothareveryvaluablefeatures,neitherisasecurityfeature.

6. B,C.AmazonEC2rolesmuststillbeassignedapolicy.IntegrationwithActiveDirectoryinvolvesintegrationbetweenActiveDirectoryandIAMviaSAML.

7. A,D.AmazonEC2rolesprovideatemporarytokentoapplicationsrunningontheinstance;federationmapspoliciestoidentitiesfromothersourcesviatemporarytokens.

8. A,C,D.NeitherBnorEarefeaturessupportedbyIAM.

9. B,C.Accessrequiresanappropriatepolicyassociatedwithaprincipal.ResponseAismerelyapolicywithnoprincipal,andresponseDisnotaprincipalasIAMgroupsdonothaveusernamesandpasswords.ResponseBisthebestsolution;responseCwillalsoworkbutitismuchhardertomanage.

10. C.AnIAMpolicyisaJSONdocument.

Chapter7:DatabasesandAWS1. B.AmazonRDSisbestsuitedfortraditionalOLTPtransactions.AmazonRedshift,ontheotherhand,isdesignedforOLAPworkloads.AmazonGlacierisdesignedforcoldarchivalstorage.

2. D.AmazonDynamoDBisbestsuitedfornon-relationaldatabases.AmazonRDSandAmazonRedshiftarebothstructuredrelationaldatabases.

3. C.Inthisscenario,thebestideaistousereadreplicastoscaleoutthedatabaseandthusmaximizereadperformance.WhenusingMulti-AZ,thesecondarydatabaseisnotaccessibleandallreadsandwritesmustgototheprimaryoranyreadreplicas.

4. A.AmazonRedshiftisbestsuitedfortraditionalOLAPtransactions.WhileAmazonRDScanalsobeusedforOLAP,AmazonRedshiftispurpose-builtasanOLAPdatawarehouse.

5. B.DBSnapshotscanbeusedtorestoreacompletecopyofthedatabaseataspecificpointintime.Individualtablescannotbeextractedfromasnapshot.

6. A.AllAmazonRDSdatabaseenginessupportMulti-AZdeployment.

7. B.ReadreplicasaresupportedbyMySQL,MariaDB,PostgreSQL,andAurora.

8. A.YoucanforceafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceintheAWSManagementConsole.Thisisoftenhowpeopletestafailoverintherealworld.Thereisnoneedtocreateasupportcase.

9. D.MonitortheenvironmentwhileAmazonRDSattemptstorecoverautomatically.AWSwillupdatetheDBendpointtopointtothesecondaryinstanceautomatically.

10. A.AmazonRDSsupportsMicrosoftSQLServerEnterpriseeditionandthelicenseisavailableonlyundertheBYOLmodel.

11. B.GeneralPurpose(SSD)volumesaregenerallytherightchoicefordatabasesthathaveburstsofactivity.

12. B.NoSQLdatabaseslikeAmazonDynamoDBexcelatscalingtohundredsofthousandsofrequestswithkey/valueaccesstouserprofileandsession.

13. A,C,D.DBsnapshotsallowyoutobackupandrecoveryourdata,whilereadreplicasandaMulti-AZdeploymentallowyoutoreplicateyourdataandreducethetimetofailover.

14. C,D.AmazonRDSallowsforthecreationofoneormoreread-replicasformanyenginesthatcanbeusedtohandlereads.AnothercommonpatternistocreateacacheusingMemcachedandAmazonElastiCachetostorefrequentlyusedqueries.ThesecondaryslaveDBInstanceisnotaccessibleandcannotbeusedtooffloadqueries.

15. A,B,C.Protectingyourdatabaserequiresamultilayeredapproachthatsecurestheinfrastructure,thenetwork,andthedatabaseitself.AmazonRDSisamanagedserviceanddirectaccesstotheOSisnotavailable.

16. A,B,C.Verticallyscalingupisoneofthesimpleroptionsthatcangiveyouadditionalprocessingpowerwithoutmakinganyarchitecturalchanges.Readreplicasrequiresome

applicationchangesbutletyouscaleprocessingpowerhorizontally.Finally,busydatabasesareoftenI/O-bound,soupgradingstoragetoGeneralPurpose(SSD)orProvisionedIOPS(SSD)canoftenallowforadditionalrequestprocessing.

17. C.Queryisthemostefficientoperationtofindasingleiteminalargetable.

18. A.UsingtheUsernameasapartitionkeywillevenlyspreadyourusersacrossthepartitions.Messagesareoftenfiltereddownbytimerange,soTimestampmakessenseasasortkey.

19. B,D.Youcanonlyhaveasinglelocalsecondaryindex,anditmustbecreatedatthesametimethetableiscreated.Youcancreatemanyglobalsecondaryindexesafterthetablehasbeencreated.

20. B,C.AmazonRedshiftisanOnlineAnalyticalProcessing(OLAP)datawarehousedesignedforanalytics,Extract,Transform,Load(ETL),andhigh-speedquerying.Itisnotwellsuitedforrunningtransactionalapplicationsthatrequirehighvolumesofsmallinsertsorupdates.

Chapter8:SQS,SWF,andSNS1. D.AmazonDynamoDBisnotasupportedAmazonSNSprotocol.

2. A.WhenyoucreateanewAmazonSNStopic,anAmazonARNiscreatedautomatically.

3. A,C,D.Publishers,subscribers,andtopicsarethecorrectanswers.YouhavesubscriberstoanAmazonSNStopic,notreaders.

4. A.ThedefaulttimeforanAmazonSQSvisibilitytimeoutis30seconds.

5. D.ThemaximumtimeforanAmazonSQSvisibilitytimeoutis12hours.

6. B,D.ThevalidpropertiesofanSQSmessageareMessageIDandBody.Eachmessagereceivesasystem-assignedMessageIDthatAmazonSQSreturnstoyouintheSendMessageresponse.TheMessageBodyiscomposedofname/valuepairsandtheunstructured,uninterpretedcontent.

7. B.Useasingledomainwithmultipleworkflows.Workflowswithinseparatedomainscannotinteract.

8. A,B,C.InAmazonSWF,actorscanbeactivityworkers,workflowstarters,ordeciders.

9. B.AmazonSWFwouldbestserveyourpurposeinthisscenariobecauseithelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.YoucanthinkofAmazonSWFasafully-managedstatetrackerandtaskcoordinatorintheCloud.

10. D.AmazonSQSdoesnotguaranteeinwhatorderyourmessageswillbedelivered.

11. A.MultiplequeuescansubscribetoanAmazonSNStopic,whichcanenableparallelasynchronousprocessing.

12. D.Longpollingallowsyourapplicationtopollthequeue,and,ifnothingisthere,AmazonElasticComputeCloud(AmazonEC2)waitsforanamountoftimeyouspecify(between1and20seconds).Ifamessagearrivesinthattime,itisdeliveredtoyourapplicationassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.

13. B.ThemaximumtimeforanAmazonSQSlongpollingtimeoutis20seconds.

14. D.ThelongestconfigurablemessageretentionperiodforAmazonSQSis14days.

15. B.ThedefaultmessageretentionperiodthatcanbesetinAmazonSQSisfourdays.

16. D.WithAmazonSNS,yousendindividualormultiplemessagestolargenumbersofrecipientsusingpublisherandsubscriberclienttypes.

17. B.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.

18. C.Topicnamesshouldtypicallybeavailableforreuseapproximately30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.Theexacttimewilldependonthenumberofsubscriptionsactiveonthetopic;topicswithafewsubscriberswillbe

availableinstantlyforreuse,whiletopicswithlargersubscriberlistsmaytakelonger.

19. C.ThemaindifferencebetweenAmazonSQSpoliciesandIAMpoliciesisthatanAmazonSQSpolicyenablesyoutograntadifferentAWSaccountpermissiontoyourAmazonSQSqueues,butanIAMpolicydoesnot.

20. C.No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.

Chapter9:DomainNameSystem(DNS)andAmazonRoute531. C.AnAAAArecordisusedtoroutetraffictoanIPv6address,whereasanArecordisusedtoroutetraffictoanIPv4address.

2. B.Domainnamesareregisteredwithadomainregistrar,whichthenregistersthenametoInterNIC.

3. C.Youshouldrouteyourtrafficbasedonwhereyourendusersarelocated.Thebestroutingpolicytoachievethisisgeolocationrouting.

4. D.APTRrecordisusedtoresolveanIPaddresstoadomainname,anditiscommonlyreferredtoas“reverseDNS.”

5. B.Youwantyouruserstohavethefastestnetworkaccesspossible.Todothis,youwoulduselatency-basedrouting.Geolocationroutingwouldnotachievethisaswellaslatency-basedrouting,whichisspecificallygearedtowardmeasuringthelatencyandthuswoulddirectyoutotheAWSregioninwhichyouwouldhavethelowestlatency.

6. C.YouwoulduseMaileXchange(MX)recordstodefinewhichinbounddestinationmailservershouldbeused.

7. B.SPFrecordsareusedtoverifyauthorizedsendersofmailfromyourdomain.

8. B.Weightedroutingwouldbestachievethisobjectivebecauseitallowsyoutospecifywhichpercentageoftrafficisdirectedtoeachendpoint.

9. D.ThestartofazoneisdefinedbytheSOA;therefore,allzonesmusthaveanSOArecordbydefault.

10. D.Failover-basedroutingwouldbestachievethisobjective.

11. B.TheCNAMErecordmapsanametoanothername.Itshouldbeusedonlywhentherearenootherrecordsonthatname.

12. C.AmazonRoute53performsthreemainfunctions:domainregistration,DNSservice,andhealthchecking.

13. A.ATXTrecordisusedtostorearbitraryandunformattedtextwithahost.

14. C.Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.

15. B.DNSusesportnumber53toserverequests.

16. D.DNSprimarilyusesUDPtoserverequests.

17. A.TheTCPprotocolisusedbyDNSserverwhentheresponsedatasizeexceeds512bytesorfortaskssuchaszonetransfers.

18. B.UsingAmazonRoute53,youcancreatetwotypesofhostedzones:publichostedzonesandprivatehostedzones.

19. D.AmazonRoute53canroutequeriestoavarietyofAWSresourcessuchasanAmazonCloudFrontdistribution,anElasticLoadBalancingloadbalancer,anAmazonEC2instance,awebsitehostedinanAmazonS3bucket,andanAmazonRelationalDatabase(AmazonRDS).

20. D.YoumustfirsttransfertheexistingdomainregistrationfromanotherregistrartoAmazonRoute53toconfigureitasyourDNSservice.

Chapter10:AmazonElastiCache1. A,B,C.Manytypesofobjectsaregoodcandidatestocachebecausetheyhavethepotentialtobeaccessedbynumeroususersrepeatedly.Eventhebalanceofabankaccountcouldbecachedforshortperiodsoftimeiftheback-enddatabasequeryisslowtorespond.

2. B,C.AmazonElastiCachesupportsMemcachedandRediscacheengines.MySQLisnotacacheengine,andCouchbaseisnotsupported.

3. C.Thedefaultlimitis20nodespercluster.

4. A.Redisclusterscanonlycontainasinglenode;however,youcangroupmultipleclusterstogetherintoareplicationgroup.

5. B,C.AmazonElastiCacheisApplicationProgrammingInterface(API)-compatiblewithexistingMemcachedclientsanddoesnotrequiretheapplicationtoberecompiledorlinkedagainstthelibraries.AmazonElastiCachemanagesthedeploymentoftheAmazonElastiCachebinaries.

6. B,C.AmazonElastiCachewiththeRedisengineallowsforbothmanualandautomaticsnapshots.Memcacheddoesnothaveabackupfunction.

7. B,C,D.LimitaccessatthenetworklevelusingsecuritygroupsornetworkACLs,andlimitinfrastructurechangesusingIAM.

8. C.AmazonElastiCachewithRedisprovidesnativefunctionsthatsimplifythedevelopmentofleaderboards.WithMemcached,itismoredifficulttosortandranklargedatasets.AmazonRedshiftandAmazonS3arenotdesignedforhighvolumesofsmallreadsandwrites,typicalofamobilegame.

9. A.WhentheclientsareconfiguredtouseAutoDiscovery,theycandiscovernewcachenodesastheyareaddedorremoved.AutoDiscoverymustbeconfiguredoneachclientandisnotactiveserverside.Updatingtheconfigurationfileeachtimewillbeverydifficulttomanage.UsinganElasticLoadBalancerisnotrecommendedforthisscenario.

10. A,B.AmazonElastiCachesupportsbothMemcachedandRedis.Youcanrunself-managedinstallationsofMembaseandCouchbaseusingAmazonElasticComputeCloud(AmazonEC2).

Chapter11:AdditionalKeyServices1. B,C,E.AmazonCloudFrontcanuseanAmazonS3bucketoranyHTTPserver,whetherornotitisrunninginAmazonEC2.ARoute53HostedZoneisasetofDNSresourcerecords,whileanAutoScalingGrouplaunchesorterminatesAmazonEC2instancesautomatically.Neithercanbespecifiedasanoriginserverforadistribution.

2. A,C.ThesiteinAis“popular”andsupports“usersaroundtheworld,”keyindicatorsthatCloudFrontisappropriate.Similarly,thesiteinCis“heavilyused,”andrequiresprivatecontent,whichissupportedbyAmazonCloudFront.BothBandDarecorporateusecaseswheretherequestscomefromasinglegeographiclocationorappeartocomefromone(becauseoftheVPN).TheseusecaseswillgenerallynotseebenefitfromAmazonCloudFront.

3. C,E.Usingmultipleoriginsandsettingmultiplecachebehaviorsallowyoutoservestaticanddynamiccontentfromthesamedistribution.OriginAccessIdentifiersandsignedURLssupportservingprivatecontentfromAmazonCloudFront,whilemultipleedgelocationsaresimplyhowAmazonCloudFrontservesanycontent.

4. B.AmazonCloudFrontOAIisaspecialidentitythatcanbeusedtorestrictaccesstoanAmazonS3bucketonlytoanAmazonCloudFrontdistribution.SignedURLs,signedcookies,andIAMbucketpoliciescanhelptoprotectcontentservedthroughAmazonCloudFront,butOAIsarethesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstoabucket.

5. C.AWSStorageGatewayallowsyoutoaccessdatainAmazonS3locally,withtheGateway-CachedvolumeconfigurationallowingyoutoexpandarelativelysmallamountoflocalstorageintoAmazonS3.

6. B.SimpleADisaMicrosoftActiveDirectory-compatibledirectorythatispoweredbySamba4.SimpleADsupportscommonlyusedActiveDirectoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonElasticComputeCloud(AmazonEC2)instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.

7. C.AWSKMSCMKsarethefundamentalresourcesthatAWSKMSmanages.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscan.

8. D.AWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCustomerMasterKey(CMK),andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.

9. A.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSCloudservice.

10. B,C.Encryptioncontextisasetofkey/valuepairsthatyoucanpasstoAWSKMSwhenyoucalltheEncrypt,Decrypt,ReEncrypt,GenerateDataKey,and

GenerateDataKeyWithoutPlaintextAPIs.Althoughtheencryptioncontextisnotincludedintheciphertext,itiscryptographicallyboundtotheciphertextduringencryptionandmustbepassedagainwhenyoucalltheDecrypt(orReEncrypt)API.InvalidciphertextfordecryptionisplaintextthathasbeenencryptedinadifferentAWSaccountorciphertextthathasbeenalteredsinceitwasoriginallyencrypted.

11. B.BecausetheInternetconnectionisfull,thebestsolutionwillbebasedonusingAWSImport/Exporttoshipthedata.Themostappropriatestoragelocationfordatathatmustbestored,butisveryrarelyaccessed,isAmazonGlacier.

12. C.Becausethejobisrunmonthly,apersistentclusterwillincurunnecessarycomputecostsduringtherestofthemonth.AmazonKinesisisnotappropriatebecausethecompanyisrunninganalyticsasabatchjobandnotonastream.Asinglelargeinstancedoesnotscaleouttoaccommodatethelargecomputeneeds.

13. D.TheAmazonKinesisservicesenableyoutoworkwithlargedatastreams.WithintheAmazonKinesisfamilyofservices,AmazonKinesisFirehosesavesstreamstoAWSstorageservices,whileAmazonKinesisStreamsprovidetheabilitytoprocessthedatainthestream.

14. C.AmazonDataPipelineallowsyoutorunregularExtract,Transform,Load(ETL)jobsonAmazonandon-premisesdatasources.ThebeststorageforlargedataisAmazonS3,andAmazonRedshiftisalarge-scaledatawarehouseservice.

15. B.AmazonKinesisFirehoseallowsyoutoingestmassivestreamsofdataandstorethedataonAmazonS3(aswellasAmazonRedshiftandAmazonElasticsearch).

16. C.AWSOpsWorksusesChefrecipestostartnewappserverinstances,configureapplicationserversoftware,anddeployapplications.OrganizationscanleverageChefrecipestoautomateoperationslikesoftwareconfigurations,packageinstallations,databasesetups,serverscaling,andcodedeployment.

17. A.WithAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonceandthenprovisionthesameresourcesoverandoverinmultiplestacks.

18. B.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.AWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservinghundredsofthousandsofAWScustomers.

19. A.AWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing.

20. D.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.

Chapter12:SecurityonAWS1. B.Alldecommissionedmagneticstoragedevicesaredegaussedandphysicallydestroyedinaccordancewithindustry-standardpractices.

2. C.Theadministratorpasswordisencryptedwiththepublickeyofthekeypair,andyouprovidetheprivatekeytodecryptthepassword.Thenlogintotheinstanceastheadministratorwiththedecryptedpassword.

3. C.Bydefault,networkaccessisturnedofftoaDBInstance.YoucanspecifyrulesinasecuritygroupthatallowsaccessfromanIPaddressrange,port,orAmazonElasticComputeCloud(AmazonEC2)securitygroup.

4. A.AmazonS3SSEusesoneofthestrongestblockciphersavailable,256-bitAES.

5. C.IAMpermitsuserstohavenomorethantwoactiveaccesskeysatonetime.

6. B.ThesharedresponsibilitymodelisthenameofthemodelemployedbyAWSwithitscustomers.

7. D.WhenyouchooseAWSKMSforkeymanagementwithAmazonRedshift,thereisafour-tierhierarchyofencryptionkeys.Thesekeysarethemasterkey,aclusterkey,adatabasekey,anddataencryptionkeys.

8. D.ElasticLoadBalancingsupportstheServerOrderPreferenceoptionfornegotiatingconnectionsbetweenaclientandaloadbalancer.DuringtheSSLconnectionnegotiationprocess,theclientandtheloadbalancerpresentalistofciphersandprotocolsthattheyeachsupport,inorderofpreference.Bydefault,thefirstcipherontheclient’slistthatmatchesanyoneoftheloadbalancer’sciphersisselectedfortheSSLconnection.IftheloadbalancerisconfiguredtosupportServerOrderPreference,thentheloadbalancerselectsthefirstcipherinitslistthatisintheclient’slistofciphers.ThisensuresthattheloadbalancerdetermineswhichcipherisusedforSSLconnection.IfyoudonotenableServerOrderPreference,theorderofcipherspresentedbytheclientisusedtonegotiateconnectionsbetweentheclientandtheloadbalancer.

9. C.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.

10. C.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.

11. A.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.

12. B,D.AmazonDynamoDBdoesnothaveaserver-sidefeaturetoencryptitemswithinatable.YouneedtouseasolutionoutsideofDynamoDBsuchasaclient-sidelibrarytoencryptitemsbeforestoringthem,orakeymanagementservicelikeAWSKeyManagementServicetomanagekeysthatareusedtoencryptitemsbeforestoringtheminDynamoDB.

13. B.Ifyourprivatekeycanbereadorwrittentobyanyonebutyou,thenSSHignoresyourkey.

14. D.AmazonCognitoIdentitysupportspublicidentityproviders—Amazon,Facebook,andGoogle—aswellasunauthenticatedidentities.

15. A.AninstanceprofileisacontainerforanIAMrolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.

16. B.AnetworkACLisanoptionallayerofsecurityforyourAmazonVPCthatactsasafirewallforcontrollingtrafficinandoutofoneormoresubnets.YoumightsetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddanadditionallayerofsecuritytoyourAmazonVPC.

17. D.TheSignatureVersion4signingprocessdescribeshowtoaddauthenticationinformationtoAWSrequests.Forsecurity,mostrequeststoAWSmustbesignedwithanaccesskey(AccessKeyID[AKI]andSecretAccessKey[SAK]).IfyouusetheAWSCommandLineInterface(AWSCLI)oroneoftheAWSSoftwareDevelopmentKits(SDKs),thosetoolsautomaticallysignrequestsforyoubasedoncredentialsthatyouspecifywhenyouconfigurethetools.However,ifyoumakedirectHTTPorHTTPScallstoAWS,youmustsigntherequestsyourself.

18. B.Dedicatedinstancesarephysicallyisolatedatthehosthardwarelevelfromyourinstancesthataren’tdedicatedinstancesandfrominstancesthatbelongtootherAWSaccounts.

19. C.AmazonEMRstartsyourinstancesintwoAmazonElasticComputeCloud(AmazonEC2)securitygroups,oneforthemasterandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutosecurelyconnecttotheinstancesviaSSHusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptopreventaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupsinyouraccount,youcanreconfigurethemusingthestandardAmazonEC2toolsordashboard.

20. A.WhenyoucreateanAmazonEBSvolumeinanAvailabilityZone,itisautomaticallyreplicatedwithinthatAvailabilityZonetopreventdatalossduetofailureofanysinglehardwarecomponent.AnEBSSnapshotcreatesacopyofanEBSvolumetoAmazonS3sothatcopiesofthevolumecanresideindifferentAvailabilityZoneswithinaregion.

Chapter13:AWSRiskandCompliance1. A,B,C.AnswersAthroughCdescribevalidmechanismsthatAWSusestocommunicatewithcustomersregardingitssecurityandcontrolenvironment.AWSdoesnotallowcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,orstaff.

2. C.ThesharedresponsibilitymodelcanincludeITcontrols,anditisnotjustlimitedtosecurityconsiderations.Therefore,answerCiscorrect.

3. A.AWSprovidesITcontrolinformationtocustomersthrougheitherspecificcontroldefinitionsorgeneralcontrolstandardcompliance.

4. A,B,D.ThereisnosuchthingasaSOC4report,thereforeanswerCisincorrect.

5. A.ITgovernanceisstillthecustomer’sresponsibility.

6. D.AnynumberofcomponentsofaworkloadcanbemovedintoAWS,butitisthecustomer’sresponsibilitytoensurethattheentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.

7. B.AnAvailabilityZoneconsistsofmultiplediscretedatacenters,eachwiththeirownredundantpowerandnetworking/connectivity,thereforeanswerBiscorrect.

8. A,C.AWSregularlyscanspublic-facing,non-customerendpointIPaddressesandnotifiesappropriateparties.AWSdoesnotscancustomerinstances,andcustomersmustrequesttheabilitytoperformtheirownscansinadvance,thereforeanswersAandCarecorrect.

9. B.AWSpublishesinformationpubliclyonlineanddirectlytocustomersunderNDA,butcustomersarenotrequiredtosharetheiruseandconfigurationinformationwithAWS,thereforeanswerBiscorrect.

10. C.AWShasdevelopedastrategicbusinessplan,andcustomersshouldalsodevelopandmaintaintheirownriskmanagementplans,thereforeanswerCiscorrect.

11. B.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.Energyisnotadiscretelyidentifiedpartofthecontrolenvironment,thereforeBisthecorrectanswer.

12. D.Customersareresponsibleforensuringalloftheirsecuritygroupconfigurationsareappropriatefortheirownapplications,thereforeanswerDiscorrect.

13. C.Customersshouldensurethattheyimplementcontrolobjectivesthataredesignedtomeettheirorganization’sownuniquecompliancerequirements,thereforeanswerCiscorrect.

Chapter14:ArchitectureBestPractices1. B,E.AmazonKinesisisaplatformforstreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdata.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcost-effectivetodecouplethecomponentsofacloudapplication.

2. B,C.LaunchinginstancesacrossmultipleAvailabilityZoneshelpsensuretheapplicationisisolatedfromfailuresinasingleAvailabilityZone,allowingtheapplicationtoachievehigheravailability.WhetheryouarerunningoneAmazonEC2instanceorthousands,youcanuseAutoScalingtodetectimpairedAmazonEC2instancesandunhealthyapplicationsandreplacetheinstanceswithoutyourintervention.Thisensuresthatyourapplicationisgettingthecomputecapacitythatyouexpect,therebymaintainingyouravailability.

3. A,E.AmazonDynamoDBrunsacrossAWSproven,high-availabilitydatacenters.TheservicereplicatesdataacrossthreefacilitiesinanAWSregiontoprovidefaulttoleranceintheeventofaserverfailureorAvailabilityZoneoutage.AmazonS3providesdurableinfrastructuretostoreimportantdataandisdesignedfordurabilityof99.999999999%ofobjects.Yourdataisredundantlystoredacrossmultiplefacilitiesandmultipledevicesineachfacility.WhileElasticLoadBalancingandAmazonElastiCachecanbedeployedacrossmultipleAvailabilityZones,youmustexplicitlytakesuchstepswhencreatingthem.

4. A,D.AutoScalingenablesyoutofollowthedemandcurveforyourapplicationsclosely,reducingtheneedtoprovisionAmazonEC2capacitymanuallyinadvance.Forexample,youcansetaconditiontoaddnewAmazonEC2instancesinincrementstotheAutoScalinggroupwhentheaverageCPUandnetworkutilizationofyourAmazonEC2fleetmonitoredinAmazonCloudWatchishigh;similarly,youcansetaconditiontoremoveinstancesinthesameincrementswhenCPUandnetworkutilizationarelow.

5. B,D,E.Thereisnodirectwaytoencryptanexistingunencryptedvolume.However,youcanmigratedatabetweenencryptedandunencryptedvolumes.

6. A,C,D.TheattacksurfaceiscomposedofthedifferentInternetentrypointsthatallowaccesstoyourapplication.Thestrategytominimizetheattacksurfaceareaisto(a)reducethenumberofnecessaryInternetentrypoints,(b)eliminatenon-criticalInternetentrypoints,(c)separateendusertrafficfrommanagementtraffic,(d)obfuscatenecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem,and(e)decoupleInternetentrypointstominimizetheeffectsofattacks.ThisstrategycanbeaccomplishedwithAmazonVPC.

7. C.AmazonRDSreadreplicasprovideenhancedperformanceanddurabilityforAmazonRDSinstances.ThisreplicationfeaturemakesiteasytoscaleoutelasticallybeyondthecapacityconstraintsofasingleAmazonRDSinstanceforread-heavydatabaseworkloads.YoucancreateoneormorereplicasofagivensourceAmazonRDSinstanceandservehigh-volumeapplicationreadtrafficfrommultiplecopiesofyourdata,therebyincreasingaggregatereadthroughput.

8. A.AnaliasresourcerecordsetcanpointtoanELB.YoucannotcreateaCNAMErecord

atthetopnodeofaDomainNameService(DNS)namespace,alsoknownasthezoneapex,asthecaseinthisexample.AliasresourcerecordsetscansaveyoutimebecauseAmazonRoute53automaticallyrecognizeschangesintheresourcerecordsetstowhichthealiasresourcerecordsetrefers.

9. D.AninstanceprofileisacontainerforanAWSIdentityandAccessManagement(IAM)rolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.TheIAMroleshouldhaveapolicyattachedthatonlyallowsaccesstotheAWSCloudservicesnecessarytoperformitsfunction.

10. B.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstopublish,maintain,monitor,andsecureAPIsatanyscale.YoucancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromyourcoderunningonAWSLambda.AmazonAPIGatewayhandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.

11. C.AmazonEFSisafilestorageserviceforAmazonEC2instances.MultipleAmazonEC2instancescanaccessanAmazonEFSfilesystematthesametime,providingacommondatasourceforthecontentoftheWordPresssiterunningonmorethanoneinstance.

12. A.AmazonDynamoDBisaNoSQLdatabasestorethatisagreatchoiceasanalternativeduetoitsscalability,high-availability,anddurabilitycharacteristics.Manyplatformsprovideopen-source,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.AmazonDynamoDBisagreatcandidateforasessionstoragesolutioninashare-nothing,distributedarchitecture.

13. B.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSshouldbeusedtodecouplethelargevolumeofinboundtransactions,allowingtheback-endservicestomanagethelevelofthroughputwithoutlosingmessages.

14. B,C,E.YoushouldprotectAWSuseraccesskeyslikeyouwouldyourcreditcardnumbersoranyothersensitivesecret.Usedifferentaccesskeysfordifferentapplicationssothatyoucanisolatethepermissionsandrevoketheaccesskeysforindividualapplicationsifanaccesskeyisexposed.Remembertochangeaccesskeysonaregularbasis.Forincreasedsecurity,itisrecommendedtoconfigureMFAforanysensitiveoperations.RemembertoremoveanyIAMusersthatarenolongerneededsothattheuser’saccesstoyourresourcesisremoved.Alwaysavoidhavingtoembedaccesskeysinanapplication.

15. A,B,E.YoucanenableAWSCloudTrailinyourAWSaccounttogetlogsofAPIcallsandrelatedevents’historyinyouraccount.AWSCloudTrailrecordsalloftheAPIaccesseventsasobjectsinanAmazonS3bucketthatyouspecifyatthetimeyouenableAWSCloudTrail.YoucantakeadvantageofAmazonS3’sbucketnotificationfeaturebydirectingAmazonS3topublishobject-createdeventstoAWSLambda.WheneverAWSCloudTrailwriteslogstoyourAmazonS3bucket,AmazonS3cantheninvokeyourAWSLambdafunctionbypassingtheAmazonS3object-createdeventasaparameter.TheAWSLambdafunctioncodecanreadthelogobjectandprocesstheaccessrecordsloggedbyAWSCloudTrail.

16. B.AmazonGlacierenablesbusinessesandorganizationstoretaindataformonths,years,ordecades,easilyandcosteffectively.WithAmazonGlacier,customerscanretainmoreoftheirdataforfutureanalysisorreference,andtheycanfocusontheirbusinessinsteadofoperatingandmaintainingtheirstorageinfrastructure.CustomerscanalsouseAmazonGlacierVaultLocktomeetregulatoryandcompliancearchivingrequirements.

17. A.ManycompaniesthatdistributecontentviatheInternetwanttorestrictaccesstodocuments,businessdata,mediastreams,orcontentthatisintendedforselectedusers,suchasuserswhohavepaidafee.ToservethisprivatecontentsecurelyusingAmazonCloudFront,youcanrequirethatusersaccessyourprivatecontentbyusingspecialAmazonCloudFront-signedURLsorsignedcookies.

18. B.AmazonS3provideshighlydurableandavailablestorageforavarietyofcontent.AmazonS3canbeusedasabigdataobjectstoreforallofthevideos.AmazonS3’slowcostcombinedwithitsdesignfordurabilityof99.999999999%andforupto99.99%availabilitymakeitagreatstoragechoicefortranscodingservices.

19. A.AnAvailabilityZoneconsistsofoneormorephysicaldatacenters.Availabilityzoneswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.Thisallowsyoutodistributeyourapplicationacrossdatacenters.Intheeventofacatastrophicfailureinadatacenter,theapplicationwillcontinuetohandlerequests.

20. C.YoucanuseaNATgatewaytoenableinstancesinaprivatesubnettoconnecttotheInternetorotherAWSservices,butpreventtheInternetfrominitiatingaconnectionwiththoseinstances.IfyouhaveresourcesinmultipleAvailabilityZonesandtheyshareoneNATgateway,resourcesintheotherAvailabilityZonesloseInternetaccessintheeventthattheNATgateway’sAvailabilityZoneisdown.TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.

ComprehensiveOnlineLearningEnvironmentRegisteronSybex.comtogainaccesstothecomprehensiveonlineinteractivelearning

environmentandtestbanktohelpyoustudyforyourAWSCertifiedSolutionsArchitect-Associateexam.

Theonlinetestbankincludes:

AssessmentTesttohelpyoufocusyourstudytospecificobjectives

ChapterTeststoreinforcewhatyou'velearned

PracticeExamstotestyourknowledgeofthematerial

DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam

SearchableGlossarytodefinethekeytermsyou'llneedtoknowfortheexam

Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothiscomprehensivestudytoolpackage.

http://www.wiley.com/go/sybextestprep

WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.

http://www.wiley.com/go/eula

Documents

Certified Solutions Architect Official · Niamh O'Byrne, AWS Certification Manager, who introduced all of the authors and many more solutions architects at AWS to certification testing