Key Concepts

  1. resource group is a collection of AWS resources that are all in the same AWS Region, and that match the criteria specified in the group's query. 
    1. Tag-based queries include lists of resources and tags. 
    2. In an AWS CloudFormation stack-based query, you choose an AWS CloudFormation stack in your account in the current region, and then choose resource types within the stack that you want to be in the group.
  2.  You can use resource groups to organize your AWS resources. AWS Resource Groups is the service that lets you manage and automate tasks on large numbers of resources at one time. With Resource Groups, you can create a custom console that organizes and consolidates information based on criteria specified in tags, or the resources in an AWS CloudFormation stack. 
  3. Transfer Family - Supports connecting to S3 or EFS through FTPS/SFTP/FTP protocols.  The hostname for the endpoint can also configured with R53.  The transfer family can be associated with Elastic IP. Security group permitting port 22 can be configured on the Elastic IP.
    1. Exposes public endpoint through SFTP - AWS Provided IP.
    2. VPC endpoint through FTP/FTPS and SFTP for internal traffic and On-premise through DC/VPN.  Private IP attached.
    3. VPC endpoint through  Internet - SFTP/FTPS - Both Opt 1 and 2 combined access. Can attach Elastic IP.
    4. https://aws.amazon.com/premiumsupport/knowledge-center/aws-sftp-endpoint-type/
  4. It can be useful to assign multiple IP addresses to an instance in your VPC to do the following -  Host multiple websites on a single server by using multiple SSL certificates on a single server and associating each certificate with a specific IP address.
  5. Service Quotas enables you to view and manage your quotas for AWS services from a central location. You can also use the API or command line interface (CLI) tools to request service quota increases.
  6. Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs. you might want to include resources that aren't available as AWS CloudFormation resource types. You can include those resources by using custom resources. 
  7. Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and the web without requiring your own backend. The client libraries cache data locally so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and if you set up push sync, notify other devices immediately that an update is available.
  8. SQS
    1. AWS SQS provides delivery delay option to postpone the delivery of new messages to a queue. If delivery delay is defined for a queue, any new message will not be visible to the consumer for the duration of delay. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.
    2. Long polling helps reduce the cost of using AWS SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request) and false empty responses (when messages are available but aren’t included in a response).
    3. The polling behavior of a queue is controlled by ‘Receive Message Wait Time’ attributes and by default is set to 0 representing short polling (the response is sent without any wait time even if the queue is empty or updated with new messages. )
    4. AWS SQS does not delete a message automatically, thus there is a chance that same message is consumed and processed by two different consumers. To prevent this, AWS SQS apply visibility timeout. Visibility timeout starts when a consumer consumes a message and during the visibility timeout no other consumer is allowed to consume the same message. This prevents duplicate processing of same message. 
    5. The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. Also, the dead letter queue needs to be created in the same region as your source queue.
    6. Each Amazon SQS message queue is independent within each region. Cannot be accessed from another region.
  9. AppMesh
    1. Application level networking across compute services- EC2, ECS, EKS, Fargate, Lambda, etc
    2. Inter-service traffic is called East-West traffic. AppMesh focusses on this.
    3. Service to Client is called North-South traffic.
    4. AppMesh Proxy sits between services and observes traffic.
      1. Manages load balancing of services
      2. Uniform log handling
    5. Side Car Proxy - The proxy has its own biz logic and configurations and separate from the app service. The proxy can be run across services with different configurations and the logic need not be built within the service code.
    6. Run proxy as a Side car container.
    7. Path based routing by Mesh to different services. The client sees as single endpoint, internally Mesh decides where the traffic goes to.
  10. Guardduty
      1. Takes VPC, DNS and Cloudtrail logs
      2. Use ML to analyze logs and shares findings.
      3. Using cloudwatch events we can notify SNS or Lambda functions
  11. AWS AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like Amazon DynamoDB, Lambda, and more. Adding caches to improve performance, subscriptions to support real-time updates, and client-side data stores that keep offline clients in sync are just as easy. Once deployed, AWS AppSync automatically scales your GraphQL API execution engine up and down to meet API request volumes.
    1. With managed GraphQL subscriptions, AWS AppSync can push real-time data updates over Websockets to millions of clients. For mobile and web applications, AppSync also provides local data access when devices go offline, and data synchronization with customizable conflict resolution, when they are back online.
    2. AppSync supports real-time chat applications. You can build conversational mobile or web applications that support multiple private chat rooms, offer access to conversation history, and queue outbound messages, even when a device is offline.
    3. AppSync can also be used for real-time collaboration. You can broadcast data from the backend to all connected clients (one-to-many) or between clients (many-to-many), such as in a second screen scenario where you broadcast the same data to all clients, who can then reply.
  12. Inspector for CVE patching.
  13. Oracle RAC is not supported by RDS.
  14. Amazon WorkDocs is a fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, edit, and share content, and because it’s stored centrally on AWS, access it from anywhere on any device. Amazon WorkDocs makes it easy to collaborate with others, and lets you easily share content, provide rich feedback, and collaboratively edit documents. You can use Amazon WorkDocs to retire legacy file share infrastructure by moving file shares to the cloud. 
  15. Amazon WorkDocs Content Manager is a high-level utility tool that uploads content or downloads it from an Amazon WorkDocs site. It can be used for both administrative and user applications. For user applications, a developer must construct the Amazon WorkDocs Content Manager with anonymous AWS credentials and an authentication token. For administrative applications, the Amazon WorkDocs client must be initialized with AWS Identity and Access Management (IAM) credentials. In addition, the authentication token must be omitted in subsequent API calls.
  16. Amazon MQ is a managed message broker service from AWS that makes it easy to set up and operate message brokers in the cloud. To migrate and re-platform your on-premises IBM MQ to Amazon MQ, you can opt for a phased approach for the migration process. You can move the producers (senders) and consumers (receivers) in phases from your on-premises to the cloud. This process uses Amazon MQ as the message broker, and decommissions IBM MQ once all producers/consumers have been successfully migrated.
  17. It is best to store the SSL certificate in IAM or in AWS Certificate Manager (ACM) where you can control which teams, either the Security or the Development team, can have access.
  18. Backup Strategy
    1. Backup and restore (RPO in hours, RTO in 24 hours or less): Back up your data and applications using point-in-time backups into the DR Region. Restore this data when necessary to recover from a disaster.
    2. Pilot light (RPO in minutes, RTO in hours): Replicate your data from one region to another and provision a copy of your core workload infrastructure. Resources required to support data replication and backup such as databases and object storage are always on. Other elements such as application servers are loaded with application code and configurations, but are switched off and are only used during testing or when Disaster Recovery failover is invoked.
    3. Warm standby (RPO in seconds, RTO in minutes): Maintain a scaled-down but fully functional version of your workload always running in the DR Region. Business-critical systems are fully duplicated and are always on, but with a scaled down fleet. When the time comes for recovery, the system is scaled up quickly to handle the production load.
    4. Multi-region (multi-site) active-active (RPO near zero, RTO potentially zero): Your workload is deployed to, and actively serving traffic from, multiple AWS Regions. This strategy requires you to synchronize data across Regions.
    5. Pilot Light cannot process requests without additional action taken first, while Warm Standby can handle traffic (at reduced capacity levels) immediately. Pilot Light will require you to turn on servers, possibly deploy additional (non-core) infrastructure and then scale up. In Warm Standby, it only requires you to scale up your resources since all the necessary components are already deployed and running).
  19. Lambda@Edge
    1. Inspect cookies and rewrite URLs to perform A/B testing.
    2. Send specific objects to your users based on the User-Agent header.
    3. Implement access control by looking for specific headers before passing requests to the origin.
    4. Generate new HTTP responses.
    5. Modify or condense headers or URLs to improve cache utilization.
    6. Lambda@Edge can be used to load different resources based on the User-Agent HTTP header.
  20. Mechanical Turk
    1. Marketplace for human task - distributed workforce
    2. Works with SWF
  21. Device Farm
    1. Application testing service for web and mobile
    2. Test across real mobile devices and browsers.
    3. Fully automated
    4. can remotely login to devices for debugging
  22. Secure well architected- 
    1. Network
      1. Layered - R53 - Cloudfront - WAF
      2. Network layers 
        1. ALB in Public subnet
        2. Egress only NAT gateway in Shared layer
        3. Private subnet - ASG, Lambda and Endpoints.
        4. Private Subnet - Aurora, Endpoints - DB layer
      3. Cloudformation templates - Operations as code
      4. Systems manager as Bastion host
      5. Hardened images using EC2 Image builder.
      6. Vulnerability management using Inspector
      7. Validate software integrity by validating checksums or certificate.
      8. Macie for S3 security
      9. KMS for key management
      10. Data in transit - Set certificate in Cloudfront using Certificate manager.
      11. Enable encryption
      12. Have MFA for IAM and root users
      13. Set tagging across accounts
      14. Develop incident management plans
      15. S3 log analysis using Athena
      16. Consolidate Billing - Move billing data from all accounts to management account.
      17. In operations account we will have
        1. Security hub - Aggregates security finding from Guard Duty, Macie, Firewall manager, Config, Inspector, IAM access analyser and other solutions from multiple accounts. Pre-requisite for enabling this is that AWS Config should be enabled in account. In security standards highlights list of security checks which have passed/failed.
        2. Guard Duty - Threat detection at scale - continuously check Cloudtrail, VPC flow logs, S3 data logs and DNS logs. Monitors malicious activity using ML and security risks and lists findings. Findings have severity rating, and the action which triggered the finding.
        3. Detective 
          1. Analyse root cause of security finding based on data from VPC Flow logs, Guard Duty and Cloud Trail.
          2. Multi-account Service - When enabled in Master - the master can invite member accounts.
        4. Trusted advisor
      18. Log Archive account
        1. S3 archive
        2. Config archive
        3. Cloud trail archive
      19. Shared Services Account
        1. CI/CD services
        2. AD Service
      20. Management account
        1. Organizations
        2. SSO
        3. Control Tower
        4. MFA

Comments

Post a Comment

Popular posts from this blog

AWS Organizations, IAM

Image
Active Directory AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. You can spread application loads across multiple AD Connectors to scale to your performance needs.  AD Connector is your best choice when you want to use your existing on-premises directory with AWS services. AD Connectors and your on-premises AD domains have a 1-to-1 relationship.  Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. Simple AD is a standalone managed directory.  Small - Supports up to 500 users,  Large - Supports up to 5,000 users.  Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains.  AWS Directory Service lets you run Microsoft Active Directory (AD)
Read more

Linear Algebra Concepts

Vector Spaces Rank of matrix is the number of non zero rows in REF form. Alternatively rank of matrix is = total number of columns - total number of dependent columns. In the REF form, If a column of a matrix can be expressed in terms of other columns then it is a dependent vector. The vectors on the left most side with leading 1 at the col number position ( 1 at 1st row 1st col, 1 at 2nd row 2nd col, likewise) then such columns are linearly independent columns. For linerarly independence a1v1+a2v2+a3v3=0 where v1,v2,v3 are vectors and a1,a2,a3 are scalars. Span of a vector space is all the possible vectors which can be formed using the basis vectors. Basis vectors are linearly independent vectors which can span the vector space. Column space is all possible set of vectors formed by the column vectors. Row space is all possible set of vectors formed by the row vectors. Dimension of a row space or column space is equal to its rank. Null space or kernel of a matrix is any vector x which
Read more