AWS SAA FlashCards
AWS Regions
1
What is it?: A region is a cluster of data centers
Remember:
- AWS has Regions all around the world
- Region Names can be: us-east-1, us-west-2, eu-west-1,sa-east-1, me-south-1, eu-north-1, eu-west-3, etc.
- Each region has many availability zones
- Most AWS services are region-scoped.
- To find your Regions using the AWS CLI: aws ec2 describe-regions
AWS Availability Zones
1
What is it?: An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region
Remember:
- Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity
- AZs are separate from each other, and therefore isolated from disasters
- AZs are connected with high bandwidth, ultra-low latency networking
- Each region has many availability zones
- To find your Availability Zones using the AWS CLI: aws ec2 describe-availability-zones --region region-name
AWS IAM
1
What is it?: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.
Remember:
- You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
- Permissions are governed by Policies (JSON)
- IAM has predefined "managed policies"
- Always give users the minimal amount of permissions they need to perform their job (least privilege principles)
- Big enterprises usually integrate their own repository of users with IAM, so employees can login into AWS using their company credentials
- Identity Federation uses the SAML standard (Active Directory)
- MFA (Multi Factor Authentication) can be setup
- IAM credentials should never be shared
- Never use ROOT IAM Credentials
- Never use the ROOT account except for initial setup.
AWS VPC
1
What is it?: Private network in AWS that you can use to deploy your
resources.
Remember:
- Subnets allow you to partition your network inside your VPC (Availability Zone resource)
- A public subnet is accessible from the internet
- A private subnet is not accessible from the internet
- Internet Gateways helps our VPC instances connect with the internet
- NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private.
- NACL (Network ACL) is a firewall which controls traffic from and to subnet
- Security Groups are firewall that controls traffic to and from an ENI / an EC2 Instance
- VPC Flow Logs capture information about IP traffic going into your interfaces (VPC, Subnet, ENI)
- VPC Peering Connect two VPC, privately using AWS' network
- VPC Endpoints allow you to connect to AWS Services using a private network instead of the public www network resulting in enhanced security and lower
latency to access AWS services.
- Site to Site VPN connect an on-premises VPN to AWS
- Direct Connect (DX) establish a physical connection between on- premises and AWS
- With VPC traffic mirroring, you can detect network and security anomalies, gain operational insights, implement compliance and security controls, and troubleshoot issues.
AWS EC2
1
What is it?: Elastic Compute Cloud allows users to rent virtual computers on which to run their own computer applications.
Remember:
- Amazon EC2 provides a truly elastic computing environment.
- Amazon EC2 enables you to increase or decrease capacity within minutes, not hours or days.
- EC2 provides the capability to store data on virtual drives (EBS)
- Security Groups are the fundamental of network security in AWS
- Security Groups control how traffic is allowed into or out of our EC2 Machines.
- Security groups act as a "firewall" on EC2 instances
-EC2 On Demand:Pay for what you use (billing per second, after the first minute)
-EC2 Reserved Instances:Discount up to 75% compared to On-demand. Pay upfront for what you use with long term commitment
-EC2 Spot Instances:Discount of up to 90% compared to On-demand. You can “lose” your instance at any point of time if your max price is less than the
current spot price
- EC2 Dedicated Hosts:Physical dedicated EC2 server for your use. Full control of EC2 Instance placement.
AWS S3
1
What is it?: Object storage service that offers scalability, data availability, security, and performance.
Remember:
- S3 is a universal namespace, meaning each S3 bucket you create must have a unique name that is not being used by anyone else in the world.
- S3 is object based for files: i.e allows you to upload files.
- S3 has unlimited storage.
- Files are stored in Buckets.
- Not suitable to install OS on.
- S3 Encryption: Encryption In-Transit (SSL/TLS), Encryption At Rest
- S3 CORS (Cross Origin Resource Sharing)
- CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.
- The best way to handle large objects uploads to the S3 service is to use the Multipart upload API.
- You can enable versioning on a bucket, even if that bucket already has objects in it.
- Bucket names cannot start with a . or - characters. S3 bucket names can contain both the . and - characters. There can only be one . or one - between labels. E.G mybucket-com mybucket.com are valid names but mybucket--com and mybucket..com are not valid bucket names.
- S3 Security: User based using IAM policies, Resource Based using Bucket policies and ACL
- S3 Bucket Policies: JSON based policies( Resources, Actions, Effect, Principal)
- Use S3 bucket for policy to Grant public access to the bucket, Force objects to be encrypted at upload, Grant access to another account
- S3 can host static websites and have them accessible on the www
AWS RDS
1
What is it?: Relational Database Service
Remember:
- RDS is a managed DB service for DB use SQL as a query language.
- It allows you to create databases in the cloud that are managed by AWS
- RDS DB Engines are: Amazon Aurora, Postgres, MySQL, MariaDB, Oracle, SQL Server
- RDS is a managed service: Automated provisioning, OS patching,
- Continuous backups and restore
- Monitoring dashboards
- Read replicas for improved read performance
- Multi AZ setup for DR (Disaster Recovery)
- Maintenance windows for upgrades
- Scaling capability (vertical and horizontal)
- Storage backed by EBS (gp2 or io1)
- Backups are automatically enabled in RDS
- RDS Security - Encryption: at rest encryption, • In-flight encryption
- Aurora is a proprietary technology from AWS (not open sourced)
- Postgres and MySQL are both supported as Aurora DB
- Aurora is “AWS cloud optimized”
- Aurora storage automatically grows in increments of 10GB, up to 64 TB
AWS Lambda
1
What is it?: Serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you.
Remember:
- Lambda: Virtual functions – no servers to manage!
- Lambda: Limited by time - short executions
- Run on-demand
- Scaling is automated!
- Lambda natively supports Java, Go, PowerShell, Node.js, C#, Python, and Ruby
- Lambda provides a Runtime API which allows you to use any additional programming languages to author your functions.
- A Lambda deployment package contains Function code and libraries not included within the runtime environment
- Long-running memory-intensive workloads is LEAST suited to AWS Lambda
- Logs for Lambda functions are Stored in AWS CloudWatch
