Saturday, May 22, 2021

AWS Associate Developer - Notes2

1. Beanstalk config format -> .ebextenstion/<mysetting>.config

2. Europe user get served from Europe server -> R53 geoloction based routing

3. ALB does not have target group -> We get 503 error

4. Prevent codebuild running too long -> Enable codebuild timeouts

5. Service to store and deploy dockers -> ECR

6. EC2 Auto scaling, 

Auto Scaling groups cannot span across multiple Regions

An ASG can contain EC2 in one or more AZ within the same Region

7. MFA mechanisms is NOT for root user authentication -> SMS based MFA

8. Beanstalk relies on -> AWS cloudformation

9. Valid SAM resource types

AWS::Serverless::Api

AWS::Serverless::Application

AWS::Serverless::Function

AWS::Serverless::HttpApi

AWS::Serverless::LayerVersion

AWS::Serverless::SimpleTable

AWS::Serverless::StateMachine

10. In Beanstalk reuse RDS connection and re-create Elasticache for each deployment -> define ElastiCache in .ebextension/ & RDS refer via env var

11. To create digital signature for SSH into EC2 -> need key pairs

12. Instead of creating individual policies for each user, you can use policy variables and create a single policy that applies to multiple users (a group policy). Policy variables act as placeholders. When you make a request to AWS, the placeholder is replaced by a value from the request when the policy is evaluated.

13. In IAM, a principal is a person or application that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity to make requests to AWS

14. IAM, the Resource element specifies the object or objects that the statement covers. You specify a resource using an ARN

15. Deploy with MINIMUM application downtime and the ability to rollback quickly -> Blue/Green

16. API Gateway usage plans 

A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key.

17. CodeCommit does not support username and password based credentials

18. Amazon SQS uses a visibility timeout to prevent other consumers from receiving and processing the same message. The default visibility timeout for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours.

19. EC2 User data scripts are executed with root permission, It runs only for the first time of launching

20. A-Record -> Used to point a domain or subdomain to an IP address.

21. PTR Record -> A Pointer (PTR) record resolves an IP address to a fully-qualified domain name (FQDN) as an opposite to what A record does.

22. Alias records let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets

23. security credentials can only be created by the AWS Account root user -> CloudFront key pairs

24. Secret Manager -> can be used to store db credentials and api keys and rotate it

25. Allow a Lambda function in its AWS Account A to access a DynamoDB table in another AWS Account B -> 

Create an IAM role in account B with access to DynamoDB. 

Modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. 

Update the Lambda function code to add the AssumeRole API call

26. T2 micro running for 30 seconds -> has no charge cos it is free tier

27. Lambda A gets throttled cos Lambda B takes many invocations -> Then setup reserved concurrency to Lamba B so it limits the max concurrency

28. AWS require approx 5 weeks of usage data for generating budget forecast

29. ELB marks EC2 target group as unhealthy but you were able to access EC2 direclty and see the website -> 

Either EC2 security  group is blocking traffic from ELB

or health check url is wrongly configured in ELB for this EC2

30. Which will help identify unused IAM roles and remove them without disrupting any service -> Access Advisor feature of IAM

31. The only resource-based policy that the IAM service supports -> Trust policy

32. Policy only limit permissions but cannot grant permissions -> 

SCP, Permission boundary

33. Service to identify security issues with minimum effort -> IAM access Analyzer

34. Syntax for getting value form mapping -> !FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

35. CloudFormation valid sections

AWSTemplateFormatVersion

Description

Metadata

Parameters

Mapping

Conditions

Transform

Resources

Outputs

36. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer.

Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.

Access logging is an optional feature of Elastic Load Balancing that is disabled by default

37. In CloudFormation , Exported Output Values in CloudFormation must have unique names within a single Region

38. We can deploy SSL certificates using ACM or IAM

39. For a cross-stack reference and use the Export output field to flag the value of one resource from one stack. Then use Fn::ImportValue intrinsic function to import the value of that into the other stack

40. ELB feature, Build high available system, Separate public and private traffic

41. You need to activate IAM user access to the Billing and Cost Management console for all the users who need access - By default, IAM users do not have access to the AWS Billing and Cost Management console.

42. Application Load Balancer can be used to securely authenticate users for accessing your applications. This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic.

43. You cannot directly integrate Cognito User Pools with CloudFront distribution as you have to create a separate Lambda@Edge

44. How KMS work -> KMS stores the CMK, and receives data from the clients, which it encrypts and sends back

45. You can create one or more aliases for your AWS Lambda function. A Lambda alias is like a pointer to a specific Lambda function version. You can use routing configuration on an alias to send a portion of traffic to a Lambda function version. For example, you can reduce the risk of deploying a new version by configuring the alias to send most of the traffic to the existing version, and only a small percentage of traffic to the new version.


No comments:

Post a Comment