Mastering AWS Best Practices

AWS Best Practices: EC2, VPC, S3, DynamoDB, and More

• AWS's Developer Support plan does not include access to a support API, but AWS offers APIs for many of its services.

• AWS provides the underlying network infrastructure and services for EC2, but the specific configuration of instances is up to the user.

• SQS is the most useful AWS service for decoupling the components of a monolithic application.

• A Dedicated Host is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores.

• Changing the instance type of an EC2 instance does not change its Elastic IP address.

• Quick Start AMIs can be used to create any instance type as long as they are compatible with the hardware.

• Durability, in the context of Amazon S3, measures the percentage likelihood that a given object will not be lost by AWS over the course of a year.

• Amazon S3 offers read-after-write consistency automatically for all objects, including overwrite PUTS and DELETES.

• If a VPC's CIDR block overlaps with an internal network's IP range, the most valid solution is to create a new VPC with a different CIDR block.

• An EC2 instance can access the internet via a NAT gateway or a NAT instance in a private subnet.

• A public subnet's route table must have a default route pointing to an Internet Gateway as a target.

• DynamoDB is well-suited for storing JSON documents that have a consistent structure and supports the creation of global secondary indexes for existing tables at any time.AWS Services and Security: Global Secondary Index, Encrypting EC2 Instances, and STS Tokens vs IAM Access Keys

• Creating a global secondary index in DynamoDB can consume significant write capacity and it's best to define them during the design phase.

• AWS KMS can be used to encrypt the operating system of an EC2 instance by encrypting the EBS volume containing the OS.

• AWS KMS is a managed service that allows users to create and control encryption keys for data.

• AWS Secrets Manager is a service for securely storing and managing sensitive information, not for encrypting operating systems.

• CloudHSM is a cloud-based hardware security module that can be used with KMS for key management, but not for encrypting operating systems.

• AWS STS is a web service that enables users to request temporary, limited-privilege credentials for IAM users or federated users.

• STS tokens consist of an access key ID, a secret access key, and a security token and expire after a set period of time.

• IAM access keys consist of an access key ID and a secret access key and do not expire unless manually deleted or rotated.

• STS tokens are designed for temporary access, while IAM access keys are designed for ongoing access.

• STS tokens should be used for short-term access to resources and services, while IAM access keys should be managed with care and regularly rotated.

• AWS KMS can be used to encrypt EBS volumes containing data other than the operating system, such as databases.

• AWS provides multiple options for encryption and security, and users should choose the appropriate service based on their specific needs.

AWS Best Practices: EC2, VPC, S3, DynamoDB, and More

• AWS's Developer Support plan does not include access to a support API, but AWS offers APIs for many of its services.

• AWS provides the underlying network infrastructure and services for EC2, but the specific configuration of instances is up to the user.

• SQS is the most useful AWS service for decoupling the components of a monolithic application.

• A Dedicated Host is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores.

• Changing the instance type of an EC2 instance does not change its Elastic IP address.

• Quick Start AMIs can be used to create any instance type as long as they are compatible with the hardware.

• Durability, in the context of Amazon S3, measures the percentage likelihood that a given object will not be lost by AWS over the course of a year.

• Amazon S3 offers read-after-write consistency automatically for all objects, including overwrite PUTS and DELETES.

• If a VPC's CIDR block overlaps with an internal network's IP range, the most valid solution is to create a new VPC with a different CIDR block.

• An EC2 instance can access the internet via a NAT gateway or a NAT instance in a private subnet.

• A public subnet's route table must have a default route pointing to an Internet Gateway as a target.

• DynamoDB is well-suited for storing JSON documents that have a consistent structure and supports the creation of global secondary indexes for existing tables at any time.AWS Services and Security: Global Secondary Index, Encrypting EC2 Instances, and STS Tokens vs IAM Access Keys

• Creating a global secondary index in DynamoDB can consume significant write capacity and it's best to define them during the design phase.

• AWS KMS can be used to encrypt the operating system of an EC2 instance by encrypting the EBS volume containing the OS.

• AWS KMS is a managed service that allows users to create and control encryption keys for data.

• AWS Secrets Manager is a service for securely storing and managing sensitive information, not for encrypting operating systems.

• CloudHSM is a cloud-based hardware security module that can be used with KMS for key management, but not for encrypting operating systems.

• AWS STS is a web service that enables users to request temporary, limited-privilege credentials for IAM users or federated users.

• STS tokens consist of an access key ID, a secret access key, and a security token and expire after a set period of time.

• IAM access keys consist of an access key ID and a secret access key and do not expire unless manually deleted or rotated.

• STS tokens are designed for temporary access, while IAM access keys are designed for ongoing access.

• STS tokens should be used for short-term access to resources and services, while IAM access keys should be managed with care and regularly rotated.

• AWS KMS can be used to encrypt EBS volumes containing data other than the operating system, such as databases.

• AWS provides multiple options for encryption and security, and users should choose the appropriate service based on their specific needs.

AWS Services and Features: Key Facts and Functions

• EC2 instances do not automatically send memory utilization metrics to CloudWatch, but this can be enabled by installing the CloudWatch agent on instances.

• An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone in Route 53 if it has necessary network access to the internet.

• Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer.

• Route 53 can be used as the DNS service for existing domain names without switching their registration to AWS.

• Redis is the ElastiCache engine that can persistently store data.

• Puppet is not an AWS service, it is an open-source configuration management tool.

• S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are not inherently coupled or dependent on each other.

• AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance.

• Enabling versioning on an S3 bucket does not automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object.

• On-demand instances will continue to incur costs as long as they are running, regardless of their utilization, while other instance types may have different cost structures.

• AWS Config and AWS CloudTrail primarily store their logs in S3 buckets.

• If a CloudWatch alarm for CPU utilization on an EC2 instance transitions from INSUFFICIENT_DATA to ALARM state, it means that CPU utilization of the EC2 instance crossed the threshold set in the alarm.Comparison of AWS services for spinning up web servers

• Different AWS services have different cost implications based on pricing models and termination conditions.

• Lambda is a serverless compute service that allows running code without provisioning or managing servers.

• Lambda automatically scales to handle incoming requests and executes code in response to events.

• Lambda functions are triggered by events such as API Gateway or other event sources to handle small, focused tasks or functions.

• Lambda functions have extremely fast startup times and can quickly respond to requests.

• When an event is triggered, Lambda provisions the necessary compute resources in milliseconds and executes the function code.

• Lambda is an excellent choice for quickly spinning up new web servers or handling short-lived, bursty workloads without manual provisioning or management.

• Auto Scaling is a service that automatically scales EC2 instances to meet demand, based on defined policies.

• Elastic Container Service (ECS) is a fully-managed container orchestration service that allows running Docker containers on a cluster of EC2 instances.

• CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce latency and improve content delivery.

• While Auto Scaling, ECS, and CloudFront provide scalability and performance benefits, Lambda stands out in terms of speed and simplicity for quickly spinning up new web servers.

• Choosing the right AWS service depends on specific use cases, workload requirements, and cost considerations.

AWS Services and Features: Key Facts and Functions

• EC2 instances do not automatically send memory utilization metrics to CloudWatch, but this can be enabled by installing the CloudWatch agent on instances.

• An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone in Route 53 if it has necessary network access to the internet.

• Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer.

• Route 53 can be used as the DNS service for existing domain names without switching their registration to AWS.

• Redis is the ElastiCache engine that can persistently store data.

• Puppet is not an AWS service, it is an open-source configuration management tool.

• S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are not inherently coupled or dependent on each other.

• AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance.

• Enabling versioning on an S3 bucket does not automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object.

• On-demand instances will continue to incur costs as long as they are running, regardless of their utilization, while other instance types may have different cost structures.

• AWS Config and AWS CloudTrail primarily store their logs in S3 buckets.

• If a CloudWatch alarm for CPU utilization on an EC2 instance transitions from INSUFFICIENT_DATA to ALARM state, it means that CPU utilization of the EC2 instance crossed the threshold set in the alarm.Comparison of AWS services for spinning up web servers

• Different AWS services have different cost implications based on pricing models and termination conditions.

• Lambda is a serverless compute service that allows running code without provisioning or managing servers.

• Lambda automatically scales to handle incoming requests and executes code in response to events.

• Lambda functions are triggered by events such as API Gateway or other event sources to handle small, focused tasks or functions.

• Lambda functions have extremely fast startup times and can quickly respond to requests.

• When an event is triggered, Lambda provisions the necessary compute resources in milliseconds and executes the function code.

• Lambda is an excellent choice for quickly spinning up new web servers or handling short-lived, bursty workloads without manual provisioning or management.

• Auto Scaling is a service that automatically scales EC2 instances to meet demand, based on defined policies.

• Elastic Container Service (ECS) is a fully-managed container orchestration service that allows running Docker containers on a cluster of EC2 instances.

• CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce latency and improve content delivery.

• While Auto Scaling, ECS, and CloudFront provide scalability and performance benefits, Lambda stands out in terms of speed and simplicity for quickly spinning up new web servers.

• Choosing the right AWS service depends on specific use cases, workload requirements, and cost considerations.

AWS Services and Features: Key Facts and Functions

• EC2 instances do not automatically send memory utilization metrics to CloudWatch, but this can be enabled by installing the CloudWatch agent on instances.

• An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone in Route 53 if it has necessary network access to the internet.

• Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer.

• Route 53 can be used as the DNS service for existing domain names without switching their registration to AWS.

• Redis is the ElastiCache engine that can persistently store data.

• Puppet is not an AWS service, it is an open-source configuration management tool.

• S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are not inherently coupled or dependent on each other.

• AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance.

• Enabling versioning on an S3 bucket does not automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object.

• On-demand instances will continue to incur costs as long as they are running, regardless of their utilization, while other instance types may have different cost structures.

• AWS Config and AWS CloudTrail primarily store their logs in S3 buckets.

• If a CloudWatch alarm for CPU utilization on an EC2 instance transitions from INSUFFICIENT_DATA to ALARM state, it means that CPU utilization of the EC2 instance crossed the threshold set in the alarm.Comparison of AWS services for spinning up web servers

• Different AWS services have different cost implications based on pricing models and termination conditions.

• Lambda is a serverless compute service that allows running code without provisioning or managing servers.

• Lambda automatically scales to handle incoming requests and executes code in response to events.

• Lambda functions are triggered by events such as API Gateway or other event sources to handle small, focused tasks or functions.

• Lambda functions have extremely fast startup times and can quickly respond to requests.

• When an event is triggered, Lambda provisions the necessary compute resources in milliseconds and executes the function code.

• Lambda is an excellent choice for quickly spinning up new web servers or handling short-lived, bursty workloads without manual provisioning or management.

• Auto Scaling is a service that automatically scales EC2 instances to meet demand, based on defined policies.

• Elastic Container Service (ECS) is a fully-managed container orchestration service that allows running Docker containers on a cluster of EC2 instances.

• CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce latency and improve content delivery.

• While Auto Scaling, ECS, and CloudFront provide scalability and performance benefits, Lambda stands out in terms of speed and simplicity for quickly spinning up new web servers.

• Choosing the right AWS service depends on specific use cases, workload requirements, and cost considerations.