AWS EC2 Fundamentals

Questions and Answers

When using EC2 Instance Store, what is the primary risk developers must manage?

• High costs associated with persistent storage.
• Incompatibility with certain operating systems.
• Data loss if the EC2 instance is stopped or hardware fails. (correct)
• Network latency due to the distance to EBS.

An application requires a file system that can be simultaneously accessed by multiple EC2 instances across different Availability Zones. Which AWS storage solution is most suitable?

• Elastic File System (EFS) (correct)
• EC2 Instance Store
• EBS Multi-Attach
• EBS Volume

You need to archive EBS Snapshots for compliance reasons, but want to minimize costs. You plan to restore them only in disaster recovery scenarios. Which storage option is most suitable?

• Standard EBS volumes
• S3 Glacier Instant Retrieval
• EBS Snapshot Archive (correct)
• S3 Standard Infrequent Access (IA)

Your application experiences increased read requests. How can you reduce the load on a single RDS instance without modifying the application’s database connection logic?

Create RDS Read Replicas and direct a portion of the read traffic to them. (A)

Which of the following is NOT a benefit of using RDS Proxy?

Enhanced security with built-in DDoS protection. (A)

Your application needs a caching solution to store frequently accessed data with high performance and support for complex data structures. Which AWS service best fits these requirements?

Amazon MemoryDB (C)

You want to ensure your DNS records automatically direct traffic away from unhealthy EC2 instances. Which Route 53 feature should you implement?

Health Checks (C)

Which Route 53 routing policy allows you to send a percentage of your traffic to different resources?

Weighted Routing (B)

Your application in a VPC needs to securely access S3 without traversing the public internet. What should you configure?

VPC Endpoint (C)

What is the purpose of a NAT Gateway in a private subnet?

Enable resources in the subnet to access the internet while remaining inaccessible from the internet. (A)

You need to store frequently accessed data with low latency and high throughput. Which S3 storage class is most appropriate?

S3 Standard (A)

What feature allows S3 to automatically move objects between different storage tiers based on access patterns, optimizing storage costs?

S3 Intelligent-Tiering (A)

How can you provide EC2 instances with temporary, limited-privilege access to AWS resources?

IAM Roles (C)

What type of data can be retrieved from EC2 Instance Metadata?

Role name, Dynamic data and User data (A)

You want to automate the process of moving S3 objects to Glacier after 6 months of creation. What S3 feature should you use?

S3 Lifecycle Rules (A)

Which S3 feature allows you to retrieve specific parts of an object, improving performance for certain applications?

S3 Byte Range Fetch (B)

Which S3 encryption type requires you to manage the encryption keys outside of AWS?

SSE-C (A)

How can you grant different applications different levels of access to objects within an S3 bucket, improving security and simplifying permission management?

S3 Access Points (C)

You need to implement a CDN for your website to reduce latency for users worldwide. What AWS service should you use?

Amazon CloudFront (A)

Your CloudFront distribution needs to restrict access to certain content based on user location. What feature should you use?

Geo Restriction (C)

Which AWS service allows you to run containers without managing the underlying infrastructure?

Amazon ECS with Fargate launch type (A)

What setting allows ECS tasks access to AWS resources?

IAM Role on the ECS Task Definition (B)

Which Elastic Beanstalk deployment strategy minimizes downtime and immediately switches traffic to a new, fully provisioned environment?

Immutable Deployments (B)

For repeatable infrastructure deployments, which AWS service allows you to define and manage infrastructure as code?

AWS CloudFormation (A)

In CloudFormation, what is the purpose of Intrinsic Functions?

To retrieve parameter values or resource attributes within the template. (A)

A development team wants to asynchronously process messages between microservices. Considering decoupling and scalability, which AWS service is most suitable?

Amazon SQS (D)

You need to send a single notification to multiple subscribers, including email, SMS, and SQS queues. Which AWS service should you use?

Amazon SNS (B)

Your application needs to process a real-time stream of click events. Which AWS service is best suited for capturing, processing, and storing this data?

Amazon Kinesis Data Streams (C)

An application exhibits high latency and performance bottlenecks. Which AWS service should you use to identify performance issues and dependencies between components?

AWS X-Ray (D)

What logs all API calls made in your AWS account, providing an audit trail for security analysis and compliance?

AWS CloudTrail (A)

What is the primary benefit of using AWS Lambda?

Running code without managing servers. (C)

What is the purpose of Lambda Layers?

To externalize dependencies and share them across multiple Lambda functions. (D)

For AWS Lambda functions accessing resources inside a VPC, what configuration is necessary?

Explicitly defining the VPC ID, subnets, and security groups. (B)

Which AWS service is a serverless, NoSQL database, ideal for applications requiring high scalability and low latency?

Amazon DynamoDB (C)

What feature allows you to improve DynamoDB read performance through the use of an in-memory cache?

DynamoDB Accelerator (DAX) (A)

Which AWS service is best suited for building a RESTful API?

Amazon API Gateway (A)

How can you protect your API Gateway endpoints from excessive requests?

Using API Keys and Throttling (B)

For building a CI/CD pipeline on AWS, which service allows you to define your build processes as code?

AWS CodeBuild (D)

Which AWS service allows you to automate the deployment of applications to various targets, such as EC2 instances, Lambda functions, and on-premises servers?

AWS CodeDeploy (B)

When developing applications on AWS with a focus on mobile and web apps, which service provides a set of tools and services to simplify the development workflow?

AWS Amplify (B)

IAM Roles specify a Trust Policy. What does the Trust Policy define?

AWS account that is granted permission to assume the role (D)

Flashcards

What is EC2?

A web service that provides resizable compute capacity in the cloud; infrastructure as a service.

What is Elastic Block Storage (EBS)?

Storage volumes that are networked drives attached to EC2 instances, persisting independently.

What is an EBS Snapshot?

A backup copy of an EBS volume, stored in S3.

What is an Amazon Machine Image (AMI)?

A customisation of an EC2 instance, including pre-installed software and configuration.

What is EC2 Instance Store?

Instance storage provides temporary block-level storage for EC2 instances; Non-persistent, physical drive attached to the server.

What is a GP2/GP3 EBS volume?

General Purpose SSD, balances price and performance.

What is a IO1/IO2 EBS volume?

Highest performance, mission critical data access.

What is a SC1 EBS volume?

Low cost HDD, less frequent access.

What is Elastic File System (EFS)?

Network File System, mounted to multiple EC2 instances across AZs.

What is Elastic Load Balancing (ELB)?

Automatically distributes incoming application traffic across multiple targets, such as EC2 instances.

What is an Application Load Balancer?

Layer 7 load balancer which targets HTTP and HTTPS traffic.

What is a Network Load Balancer (NLB)?

High performance, low latency load balancer that operates at the TCP layer.

What is a Gateway Load Balancer?

Load balancer operating at Layer 3, balancing across target groups.

What is Auto Scaling (ASG)?

Automatically adjusts compute capacity to maintain steady, predictable performance at the lowest possible cost.

What is Relational Database Service (RDS)?

A web service that makes it easier to set up, operate, and scale a relational database in the cloud.

What are RDS Read Replicas?

A read-only copy of a DB instance, used to offload read traffic.

What is Aurora?

AWS database service; MySQL and PostgreSQL-compatible, offering increased performance and availability.

What is RDS Proxy?

Allows applications to pool and share database connections, improving efficiency and scalability.

What is ElastiCache?

Fully managed, in-memory data store service, compatible with Redis or Memcached.

What is Route 53?

HA, managed, scalable DNS Server.

What is Route53 Health Checks?

Stops routing traffic to unhealthy services.

What is a VPC?

Allocate server resources and deploy your systems

What is an Internet Gateway?

An entrypoint at the VPC level that provides internet access.

What is NAT Gateway/Interface?

Allows instances in private subnets to access the internet without direct exposure.

What is a Network ACL (NACL)?

Stateless firewall controlling traffic to subnets.

What is a Security Group?

Stateful firewall controlling traffic to EC2 instances.

What is VPC Peering?

Connect two VPCs together with a non-overlapping IP range.

What is Simple Storage Service (S3)?

A fully managed object storage service that provides scalable, secure, and durable storage.

What defines S3 buckets?

Buckets defined at a regional level with globally unique names.

What is S3 Replication?

Cross-region or Same-region replication. Only replicates new objects.

What S3 Standard?

S3 storage class for frequently accessed data with high availability.

What is S3 Infrequent Access?

S3 storage class for infrequently accessed data, offering lower storage costs.

What is Glacier?

S3 archive storage with low cost

What is IAM

Service to manage security and permissions

What are Advanced S3 rules?

Lifecycle rules, expiration rules. Applied by prefix or object tags.

What is KMS

CloudTrail can audit its usages

What is SNS?

Send a message to multiple subscribers. Subscribers: SQS, Email, Lamda etc.

What is SQS?

Queue decoupling messages and actions.

What is Kinesis?

Collect, process and analyse streaming data. Examples: app logs, metrics etc.

Study Notes

EC2 Fundamentals

• Elastic Compute Cloud (EC2) provides infrastructure as a service
• EC2 rents virtual machines (VMs), stores data on drives (EBS), distributes load (ELB), and auto-scales (ASG)

EC2 Classes

• An Instance class is defined by the type of instance, it's generation and size
• In m5.2xlarge, m is the instance class, 5 is its generation, and 2xlarge is its size
• General Purpose instance class type performs across various workloads
• Compute Optimized instance class type is used for high performance processing with machine learning, media transcoding and game servers utilising the "C" class
• Storage Optimized instance class type is suited for large datasets in memory and in-memory databases with the "R" class

EC2 Instance Storage

• Elastic Block Store (EBS) connects a network drive to an EC2 instance
• Can only be attached to one instance at a time
• EBS is regional, residing in a specific Availability Zone, but can be moved between AZs via snapshotting
• Snapshots are backup copies of EBS volumes which are recommended, but are not required to detach as they can copy EBS volumes across Availability Zones
• EBS Snapshot Archive provides cheaper storage but takes 24-72 hours to restore
• Fast Snapshot Restore enables fast full initialization with no latency
• Recycle bin for EBS snapshots sets up recovery rules that retains them up to 1 year
• Amazon Machine Images (AMI) customizes EC2 instances with faster boot and configurations as software is pre-installed and can be copied over to other regions
• Faster storage in EC2 Instance Store has limited performance compared to EBS and uses physical drives
• EC2 Instance Store loses data if an EC2 instance is stopped and is non-persistent
• Instance Store is useful for buffers, caches, and temporary data, however data loss is possible is hardware fails and developers are responsible for backups and replication
• EBS General Purpose SSD volumes balances price and performance (GP2/GP3)
• EBS Highest performance volumes are for mission critical data access (IO1/IO2)
• EBS Low cost HDD volumes are available for less frequent access (SC1/ST1)
• Only General Purpose and IO EBS volumes can be used for boot volumes
• EBS Multi-Attach can attach the same EBS volume to multiple EC2 instances in the same AZ with a max of 16 instances, using a cluster-aware file system, and is limited to IO1 & IO2 volumes
• Elastic File System (EFS) network file system is mounted to multiple EC2 instances across availability zones (AZs)

EBS vs EFS

EBS	EFS	Instance Store
One instance attach (except IO1/2)	More expensive	Physically attached
Locked to an AZ	NFS mounted to multiple AZs	Deleted on unmount
IO increases as size increases (GP2)
Can increase IO independently GP3
Can migrate AZ via snapshot
Terminated with EC2 by default

• EFS is only compatible with Linux AMIs

ELB and ASG

• Elastic Load Balancer (ELB) distributes incoming application traffic
• ELB different types include Classic Load Balancer, Application Load Balancer, Network Load Balancer, and Gateway Load Balancer
• Classic Load Balancer is deprecated and supports HTTP(s), TCP, SSL protocols
• Application Load Balancer supports HTTP(S), WebSocket protocols
• Network Load Balancer supports TCP, UDP protocols
• Gateway Load Balancer balances Layer 3 network protocol (IP, ICMP)

Application Load Balancer

• Application Load Balancer (ALB) balances Layer 7 HTTP traffic across machines or containers
• ALB supports HTTP2 + WebSocket and redirects HTTP to HTTPS
• ALB routes based on URL, Path, Hostname, Query String, and Headers which is appropriate for microservices or containers in ECS
• ALB can direct Target Groups to: EC2 instances, ECS Tasks, Lambda Functions, and IP Addresses
• ALBs include fixes to hostname with Client IP, proto and port set in headers using "X-Forwarded-For”

Network Load Balancer

• Network Load Balancer (NLB) balances TCP and UDP traffic with higher performance and lower latency than ALB
• NLB provides IP address per Availability Zone to direct traffic to Target Groups including EC2 instances, Private IPs, and ALBs
• Health checks support for TCP, HTTP, HTTPS protocols
• Sticky sessions redirect the same client to the same backend

Gateway Load Balancer

• Gateway Load Balancer provides firewalls, IDS, payload manipulation and serves as a gateway for other IP traffic on the IP layer
• Gateway Load Balancers can drop, inspect, or manipulate data and balances to target groups including EC2 and Private IPs with GENEVER protocol 6081

Cross Zone Load balancing

• Cross Zone Load Balancing helps to balances traffic across AZs and distributes traffic equally across instances in Target Groups, not the AZs

Server Name Indication

• Server Name Indication allows loading of multiple SSL certs on one server

Connection Draining

• Connection draining provides the time to complete in progress requests before de-registering or unhealthy EC2 instances

Auto Scaling Groups

• Auto Scaling Groups (ASG) balances scaling up and down with demand and recreating unhealthy instances
• ASG auto-registers on load balancers and creates launch templates of AMIs, Instance types, EBS vols, SSH Keys, LBs with min size, max size, initial capacity, and scale policy options

Scaling Policies

• Dynamic Scaling uses target tracking that scales depending on load (eg: CPU 40% average) and Simple/Step scaling which scales through CloudWatch alarms
• Scheduled Scaling anticipates usage patterns and Predictive Scaling forecasts traffic for pre-scaling

RDS ElastiCache Aurora

• Relational Database Service (RDS) supports Postgres, MySQL, Microsoft SQL, MariaDB, Oracle, IBM DB2, and Aurora
• RDS benefits from Manged service which auto-patches and updates automatically backups and restores easily and monitoring read replicas, multi-AZ, and scales storage
• RDS cannot provide SSH access
• RDS can provision up to 15 read replicas within an AZ, cross AZ, or across all regions in AWS has inherent network and monetary costs
• RDS multi-AZ is used for disaster recovery with one DNS, but auto failover
• Aurora has high performance Postgres, MySQL and DSQL infrastructures & implementations within 6 copies in 3 AZs
• Aurora stripes storage across hundreds of volumes with failover under 30 seconds and has read/write endpoint with auto load-balancing with encryption-at-rest and in-flight

RDS Proxy

• RDS Proxy allows application pooling/share DB connections
• RDS Proxy is a severless server with HA and auto scalable and reduces RDS + Aurora failover by 66%
• ElastiCache is a managed Redis and Memcache
• Redis offers multi-AZ with auto failover, read replicas and makes use of backup and restore and sets & sorted sets
• Memcache provides Sharding-distributed architecture with No HA, no persistence, and no backup/restore
• Lazy load caching strategy asks cache and uploads RD and update cache if info is missing
• Write-Through caching uploads when updated DB to update cache which is always up to date

Amazon Memory DB

• Amazon Memory DB is Redis-compatible, durable in-memory DB with ultra-fast performance
• To encrypt a DB, create a snapshot which encrypts and restors a snapshot

Route 53

• Amazon Route 53 is a HA, managed, scalable domain naming system (DNS) that can update records
• Hosted Zones host records that route traffic to a domain or its subdomains
• DNS Record Types include A - IPv4, AAAA - IPv6, CNAME- Hostname which cannot create for top node of hostname and points the main domain to ALB hostname, and NS - Name Server
• Routing policies include Simple, Weighted and Latency-based
• Simple routing policies will route to a single resource
• Weighted routing policies control the percentage that goes to to each resource of the same record type
• Latency-Based routing directs to resources that provide optimal latency
• Route53 Health Checks provides Auto failover by stopping routing traffic to unhealthy services
• Health checks can check the first 5KB of a response to determine health while calculate health checks like AND, OR, NOT
• CloudWatch alarms can also be set up and used as the health check (within VPC) and status of health checks
• Routing policies have Failover-alternative by returning alternative records when EC2 instances goes down (healthcheck fails)
• Geolocation defines specific records for regions with a default
• Geo-Proximity routes traffic by geographic location (You can choose more, or less traffic to a given resource using a BIAS)
• Bias shrinks or grows geographic region size based on rules for client CIDR
• Multi-value returns multiple values for clients to choose with traffic flow visual editor to manage routing

VPC

• Virtual Private Cloud (VPC) is a private network to deploy AWS resources as subnets which are partitions that are either private or public and they can define access throughout route-tables and belongs to an AZ
• Network Address Translation (NAT) allows private subnets to access the Internet, and firewalls, called Network Access Control Lists (NACL) controls access to and from a subnet
• VPC endpoints allows connections to services using a private network to increase security and decrease latency instead of public WWW network
• Subnets tied to an AZ represents a network partition
• Internet Gateway provides internet access on the VPC level and NAT Gateways/Interface enables internet access to private subnets
• Network Access Control List (NACL) provides a stateless firewall for inbound and outbound rules and Security Groups provides a stateful firewall at the EC2 level
• VPC Peering connects two VPCs together with a non-overlapping IP range
• VPC Flow Logs tracks network traffic logs and Site-to-site VPN creates a VPN over the internet between VPC and on-prem network
• DirectConnects establishes a dedicated connection to AWS by switching on-prem datacenters

S3 Intro

• Simple Storage Service (S3) provides infinite scaling storage at a regional level but buckets must have globally unique names across regions
• Files are saved as objects with the key as the file path name including the bucket s3://my-bucket/file_1.txt with object max size of 5TB
• Objects over 5GB must use multi-part upload with S3 pre-signed URLs that are tokens encoded in a URL
• S3 replication includes Cross-Region Replication (CRR) and Same-Region Replication (SRR) but requires object versioning, which disables new objects replicated where existing objects can be replicated using S3 Batch Replication
• S3 Replication deletion markers are not replicated

S3 Storage Classes

• S3 Standard offers 99.99% availability for frequently accessed data with low latency and high throughput
• S3 Infrequent Access provides lower costs though there is still rapid access such as with S3-Standard-IA stores data in minimal of 3 AZs and with S3-One-Zone-IA which stores in single AZ at 20% cheaper rate
• Glacier Storage Classes provide Low-cost storage for archiving backups with storage and retrieval costs
• Glacier Instant Retrieval has millisecond retrieval with 90 day storage
• Glacier Flexible Retrieval offeres retrieval options for 1-5 mins, 3-5 hours, 5-12 hours with 180 day storage minimum
• Glacier Deep Archive comes with 12-48 hour access and 180 day storage minimums
• Intelligent Tiering automatically moves objects between tiers for a small monthly fee with no retrieval fees

AWS CLI SDK IAM Roles Policies

• EC2 Instances can query metadata on themselves including Role names, dynamic data like IP addresses, and the launch script
• EC2 Metadata retrieval is not an IAM policy, and IMDSV2 requires a PUT to create a session token with a time-to-live of up to 6 hours
• MFA in CLI performs authentication using: “aws sts get-session-token” with token code from MFA

Advanced Amazon S3

• S3 Lifecycle rules transition objects auto across storage types, which moves objects to standard IA 60 days after creation and then to Glacier after 6 months
• S3 Expiration rules delete after a time-period using time-to-live (TTL) depending on prefix or object tags
• S3 Event Notifications trigger for create, remove, and restore events but requires an SQS, SNS, or Lambda policy to be made as well as object name filtering
• S3 Event Notifications are also sent to EventBridge
• S3 Performance includes highly scalable 100-200ms for first byte, 3500 PUT/COPY/POST/DELETE ops/sec per prefix, and 5000 HEAD/GET ops/sec per prefix
• Multi-part upload is suited files over 100MB which is mandatory for files over 5GB
• S3 Transfer Acceleration transfers files to AWS edge location, and then forwards to the S3 bucket over the internal AWS network and is closer to the client, with 50-500% faster variability
• S3 Byte Range Fetch retrieves partial files by parallelizing in order to increase fetch speed
• S3 Select & Glacier Select are services with SQL implementation (select) with a CSV file containing parts of S3 storage with returned data

Amazon S3 Security

• S3 (SSE-S3) Encryption handled, managed and owned by AWS is encrypted with server-side AES256 with the right header "X-amz-server-size-encryption: AES-256”
• Uses crypto key stored in KMS with audit logging in CloudTrail with header “X-amz-server-size-encryption: aws:kms” (contributes to KMS quota/limits)
• Keys are stored by uses keys managed outside of AWS with HTTPS being the main transfer and provided as a header with AWS never stores it
• Encryption takes place entirely on client-side with no AWS access
• S3 Access Logs stores logs pushed to another bucket from the same region (cannot be logged in the bucket itself)
• S3 Access Points simplifies permission access for applications by creating specific access points as restricted to a VPC while creating a VPC Endpoint with access to the bucket
• S3 Object Lambda uses an endpoint where an S3 access pointer and a lambda is defined with the use case to redact information

CloudFront

• CloudFront is a global content delivery network (CDN) with 250 points of presence and Denial of Service (DDOS) protection throughout regions

• CloudFront can originate from S3 buckets with enhanced Origin Access Control (OAC) which can also be used as ingress points as well as create custom origins such as ALB, EC2, S3 websites

• CloudFront caches at edge locations that is definable using Origin Request Policy which passes headers cookies and query strings through origins

• CloudFront can also allow/block country IP addresses with a 3rd-party GeoIP service | CloudFront | S3 Cross-region Replication | | --- | --- | | Uses global edge network | Manual setup per region | |Cached at edge locations with TTL | Files updated real-time | | Great for static content | Read-only | | | Great for dynamic content |

• CloudFront can cache HTTP Headers, Cookies, Query Strings to include or exclude

• Cache policies can be applied to path patterns

• Client requests to to Edge location to EC2 or ALB require the edge location being outside of the VPC and public respectively

• Access to content to specific users by Restricting access to content to users

• Allows for Signed URLs that provide singular access to files, and uses Signed Cookies to enable access to multiple files that enables configurable expiration and IP whitelisting

Advanced CloudFront

• CloudFront edge locations vary in price with three prices: All, Class 100 USA Canada Europe Israel, Class 200+ others
• CDN creates Origin Groups from at least primary and failover origins with failover criteria to ensure HA
• CDN provides Feild level data encryption for sensitive data in an encrypted form at the edge location before then can be decrypted where on the origin (in a private key) whether EC2.
• cdn enables the config of real-time logging with configurable sample field + data points to a kinesis data stream or a kinesis firehose to output logging information to a s3 bucket

ECS, ECR and Fargate

• Elastic Container Service (ECS) runs AWS containers as an ECS Task on ECS Cluster
• ECS Runs on Fargate - serverless, pay-as-you-go compute engine with no management, EC2 - you choose resources and manage capacity
• ECS Tasks run under an AWS IAM Role to permit tasks to execute on certain services through policy
• ECS Tasks are defined in Task definintion
• EC2 Instance Profile is used by the ecs agent
• ELB -> ECS Tasks
• You can mount EFS Volumes to ECS Task, which means you can share that storage
• Cannot mount S3
• AWS Copilot - CLI to build, release and operate containerized apps Scale based on:
• CPU
• RAM
• ALB request-per-target
• TargetTracking - CloudWatch Metric
• StepScaling - CloudWatch Alarm
• Scheduled Scaling

Example Architectures

• Upload to S3 bucket triggers event in Amazon EventBridge. EB runs ECS Task.ECS Task fetches from S3 (via API) and saved into DB
• Amazon EventBridge runs ECS task on a schedule (e.g. every hour)
• ECS Task polls SQS for messages
• Auto-scale on queue size
• bin pack is a setting such that leave least memoery and cpu such that it lowers fragmentation
• Random - Placed evenly based on a value (e.g. AZ)
• To config docher push run; aws ecr get-login-password -region eu-west-1 | docker login

EKS

• Nodegroups are of two types: ManagedNodeGroups and Self-Managing ManagedNodeGroups Creates/manages EC2 instances for you Can be part of an AutoScalingGroup to auto scale Self-Managed Create nodes (EC2) yourself where you can use prebuil AMI
• AWS Fargate completely managed by AWS
• *Need to specify StorageClass manifest
• *Use Container Storage Interface (CSI) driver
• *Supports EBS, EFS, FSx Lustre, FSx NetApp

Elastic BeanStock

• eb cli, for a dev-centric to deploying all infrastructure for an application using eb create|status|open|deploy|terminate Deployment Strategies
• All at once - downtime, fastest Rolling - split instances into batches Rolling with additional batch - First batch, new EC2 instances are created ratherthan existing Immutable - Deploy on new instances instead of existing
• *After EB env created the load balance cannot and should not be changed To create new one , the best practice is to copy setting but make sure RDS instance are not set to provision or they may be linked to the EB lifecycle

Cloudformation

• Declarative way to outline an infrastructure stack of AWS resources by the use of a
• Version controlled the IAC using code
• Repeatable environments created through templates stored in buckets are modified with Application composer/code editor or manually through a console input or through a yaml edit/AWS CLI call

Parameters/ Intrinsic Functions

Instrinsic fincitons

Fn::Ref - Reference parameters (in YAML: "!Ref")

• *returns the ID of another resource Fn::GetAttr - Get attribute for any resource attribute

Fn::FindInMap*Find in a MAP !FindInMap [, !Ref "AWS::Region", ""] Fn::InputValue - Import value from a previous export that has been outputted If Else use!Equals [!Ref EnvType, "prod"]

If something cannot be created use rollbacks by way of creating the stack, creating updates (rolls back or continues through a process if you fix. If something cannot Be create the code will break,

You can provide capabilities and policies for new Need to provide CAPABILITY_NAMED_IAM or CAPABILITY_IAM when CF is creating/modifying.If you delete there is such that the delete policy default of delete or can be retain /create a snapshot A stack policy is what is allowed when updating and what is a not

Custom Resource

• Create custom made resources that are not available in cloud formation but instead use outside scripts

CDK

• Cloud Development Kid is cloud infrastructure as codew Define cloud infrastructure as code provisioned through CloudFormation using Two parts: CloudFormation commands;

Amplify

• Is to deploy in conjunction with mobile and and web frameworks and integrates with EB

Cognito

Cognito is the identity access and serverless db of user where the name is is unique but the rest can be assigned Directory of federated identities that can be exchanged for temporary AWS credentials by a lambda trigger for events(like sign up) custom domain usagemust create and must create Adaptive authentication such that requires mfa or locks things due to odd account activity You can store api and security information for usage . This is the managed part and a basic summary

• Event Bridge* can be trigged by the actions.

STep fucntions

• Can have long running auditable workflows up to a year
• Express which does stream has runs up to 35 minutes. There support to to write to response

Aync

• Is to manage a callback of the action that occurs , think S3 and is defined as tasks tasks are done and coded for , which a does what's Called a runner by which it all works but it a graphql managed service on ws
• Can use cognity access and it with access*

Advanced Identity

• S3 (a union of IAM and bucket policy will be used - default deny) Possible to use variables in Policies that can be attached and passed Trust Policy - Roles can only be passed to what their trust policy allows;

Services

• managed service by Microsoft with local A D connections Private or not ,

AWS Security

CloudTrail can be used to audit all usages of a KMS key with Keys that can berotated , and all is done at a region level and can you can transfer snapshots but it all at a cost and it always done at the cost of AWS itself , AWS always knows

Key that can can only controlled.You must define each user etc for what done, Use limits because there is only so many things Encrypt data key with K MS then you it with and you can get by default code. Use DEK or reduce load on A PI with KMS with Lambda for more sense

• Redice the cost for using bucket keys