AWS Solutions Architect Associate Cheat Sheet [SAA-C03]

AWS Solutions Architect Associate Cheat Sheet [SAA-C03]

Lets learn all the AWS Solutions Architect Associate Cheat Sheet which will help us in clearning AWS Solution Architect Associate [SAA-C03] Exam.

1. EC2 Cheat Sheet

  • EC2 Types
  • EC2 purchasing Option
  • EC2 Placement Groups
  • Security Group
  • Automatic Scaling Group, Scaling types
  • EC2 Instance Connect, EC2 Instance Store, EC2 Instance User Data and EC2 Instance Metadata
  • EBS, EFS

AWS EC2 Cheat Sheet

=========================================================

2. Elastic Load Balancer Cheat Sheet

  • Classic Load Balancer
  • Application Load Balancer
  • Network Load Balancer
  • Gateway Load Balancer

Elastic Load Balancer Cheat Sheet

=========================================================

3. AWS Database Cheat Sheet

  • RDS, Redshift, Aurora, DynamoDB,ElastiCache
  • Athena, Elasticsearch, Neptune DocumentDB, Keyspaces, Timestream
  • Quantum Ledger Database (QLDB)
  • Elastic Cache – Redis & mem-cached, in-memory database
  • AWS Redshift OLAP -Online Analytical Processing, Data warehouse, columnar storage, massively parallel query execution
  • Document DB MangoDB and Amazon Athena Query data in S3
  • Amazon Quicksight BI analytics, ML powered, service to create interactive dashboards.
  • Amazon EMR Elastic Map Reduce, Hadoop cluster, HBase, Spark
  • Amazon Glue Extract, transform and Load *ETL)
  • Dynamo DB serverless, NoSQL,
  • Amazon QLDB financial ledger central authority
  • Amazon managed Blockchain without central authority, crypto
  • Amazon Keyspaces Apache cassendra
  • AWS Time stream Time series
  • AWS Open search (AWS Elastic search ) searching data

AWS Database Cheat Sheet

=========================================================

4. Amazon S3 Cheat Sheet

  • Versioning, MFA Delete
  • Bucket Policies S3 Encryption
  • S3 Websites, S3 CORS
  • S3 Replication, S3 Pre-signed URL
  • S3 Storage Classes, S3 Lifecycle
  • S3 Analytic, S3 Select and S3 Glacier Select,
  • S3 Transfer Acceleration
  • S3 Requester Pays
  • S3 Locks – Object Lock, Glacier Vault Lock

Amazon S3 Cheat Sheet

=========================================================

5. AWS VPC Cheat Sheet

  • CIDR, Subnet, Bastion Host
  • Internet Gateway, NAT Instance, NAT Gateway
  • Network Access Control List (NACL)
  • VPC Peering, VPC Endpoint
  • AWS Site-to-Site VPN, AWS Direct Connect
  • AWS VPN CloudHub, Transit Gateway
  • VPC – Traffic Mirroring, Egress Only Internet Gateway, AWS Network Firewall

AWS VPC Cheat Sheet

=========================================================

6. Route 53 Cheat Sheet

  • Route 53 Records
  • Route 53 Routing Policies

Route 53 Cheat Sheet

=========================================================

7. IAM Cheat Sheet

  • Identity and Access Management (IAM)
  • Single-Sign-On (SSO)
  • Cognito

AWS IAM (identity Access Management):

Users, group,roles and access policies

Global Service, follow Least privilege principle. Users or groups can be assigned JSON documents called policies which defines permissions.

Group contains only user not the other groups.

MFA (Multi-Factor Authentication):

  1. Virtual MFA Device: Google Authenticator, Authy
  2. Universal 2nd Factor (U2F) Security Key –> Physical Device,YubiKey by Yubico.
  3. Hardware Key Fob MFA device: provided by Gemalto. Physical Device.
  4. Hardware key Fob MFA device for AWS GovCloud(US) –>provided by SurePassID.

AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources.

IAM Security Tools:

  1. IAM Credential Reports (Account Level): a report that lists all your account’s users and the status of their various credentials.
  2. IAM Access Advisor (User Level): Access advisor shows the service permissions granted to a user and when those services were last accessed.

IAM Best Practices:

  • Lock away your AWS account root user access keys
  • Grant least privilege access – don’t give open policies expecting that they will be restricted later. It will never happen
  • Enable identity federation : centrally manage users and access across multiple applications and services. For federation to multiple accounts in your organisation AWS Single Sign On. ( Post coming soon )
  • Enable MFA. (you can use Credential Report to export a report of all the users in your AWS organisation and check the status of their credentials, psw expiration, MFA is enabled and so on)
  • Rotate credentials regularly
  • Enable IAM Access Analyser to analyse public, cross-organisation access. ( see post serverless days workshop)
  • Use Permission boundaries to prevent privilege escalation
  • Use Roles to delegate permissions

AWS STS (Security Token Service): Center of AWS. Enables you to create temporary, limited-privilege credentials to access your AWS services.

AWS Cognito:

Identity for your web and mobile application users. Example: Login with google,Facebook or twitter which will redirect to main application.

Cognito User Pools: Sign in functionality for app users. Integrate with API Gateway & Application Load Balancer.Create a serverless database of user for your web & mobile apps. Federated Identities: users from Facebook, Google, SAML.

Cognito Identity Pools (Federated Identity):Provide AWS credentials to users so they can access AWS resources directly. Integrate with Cognito User Pools as an identity provider. Users can then access AWS services directly or through API Gateway.

Single Sign-On(SSO): Centrally managed Single Sign-On to access multiple accounts and 3rd party business applications. Integrated with AWS organizations and on-premises Active Directory. Supports SAML2.0.Centralized permission management. Centralized auditing with CloudTrail.

=================================================================

8. AWS Storage Options in AWS Cheat Sheet

  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic File System (Amazon EFS)
  • Amazon FSx
  • Amazon S3
  • Amazon S3 Glacier
  • AWS Storage Gateway -1) S3 File Gateway 2) FSx File Gateway 3) Volume Gateway 4) Tape Gateway

Amazon FSx:

  • Launch 3rd party high performance file system on AWS.
  • Fully managed service.
  • 1) FSx for windows file server:
    • Fully managed window file system.
    • Supports SMB protocol and NTFS
    • Can be mounted on linux EC2.
    • Supports Microsoft distributed file system.
    • Supports Microsoft AD
    • Can be accessed from your on-premise infrastructure.

2) FSx for Lustre:

    • Lustre= Linux + cluster
    • Machine learning, high performance computing (HPC)
    • Seamless integration with S3.
    • Can be used from on-premise infrastructure.

FSxLustre -FS deployment options:

A) Scratch File System: Temporary storage, non-persistent, high brust. Data is not replicated. Useful for short term processing.

B) Persistent File System: Used for long term processing. Data is replicated withing AZ. Replace failed files within minute. Sensitive data.

 

3) FSx for NetApp ONTAP: Managed NetApp ONTAP on AWS. FS compatible with NFS, SMB & iSCSI protocol. Point-in-time instantaneous cloning.

4) FSx for OpenZFS: Managed OpenZFS files system on AWS. FS compatible with NFS (V3, V4…). Point-in-time instantaneous cloning.

AWS Storage Gateway:

  • Bridge between on-premise data and cloud data
  • Use cases – 1) Disaster Recovery 2) Backup & Restore 3) Tiered storage 4) on-premise cache 5) low latency file access etc.

AWS Storage Gateway types:

S3 File Gateway: configured s3 buckets are accessible using NFS and SMB protocol. Supports S3 standard, S3 standard IA, S3 one zone IA and S3 intelligent tiering. Most recently used data is cached in the file gateway. Transition into S3 glacier using life cycle policies.

FSx File Gateway: Native access to amazon FSx for windows file server. Local cache for frequently accessed data. Windows native capabilities like SMB, NFTS, AD etc. Useful for group file shares and home directories.

Volume Gateway:Block storage using iSCSI protocol and backed by S3. Backed by EBS snapshot which can help restore on-premise volume.

A) Cached Volume: low latency, access to most recent data.

B) Stored Volume: Entire data set is on-premise & scheduled backup to S3

Tape Gateway: Backup data using existing tape based processes in the cloud. Virtual Tape Library (VTL) backed by S3 & glacier. iSCSI interface.

=========================================================

9. CloudFront in AWS Cheat Sheet (AWS GLOBAL INFRASTRUCTURE)

  • Cloudfront Origins
  • Cloudfront Geo Restrictions
  • Cloudfront Price Classes
  • Cloudfront Cache Invalidation
  • AWS Global Accelerator

AWS CloudFront:

  • It is CDN ie content delivery network
  • Improves read performance and content is cached at edge.
  • DDos Protection
  • Integration with AWS shield and WAF.

Cloudfront Origin:

S3 Bucket: Enhanced security with Origin Access Identity (OAI)

Custom (HTTP endpoint) Origin:EC2, ALB, S3 websites or HTTP endpoint.

Cloudfront – Geo Restrictions: You can restrict who can access your distribution using whitelist and blacklist. Use case: Copyright laws to control access to the content.

CloudFront Price Classes:

Price Class All: all region, best performance.

Price Class 200: most regions exclude the expensive once.

Price Class 100: only the least expensive region.

CloudFront – cache Invalidations:You can force entire or partial cache to refresh by performing a cloudfront cache invalidation.

AWS Global Accelerator:

Uses AWS internal network to route your applications.

2 Anycast IP are created for your application

Anycast IP Edge location Application

Works with elastic IP, EC2 instances, ALB and NLB.

Features:

  • Consistent Performance: uses internal AWS network.
  • Health Check: performs health check of application. Great for DR.
  • Security: Only two IP needs to be whitelisted. DDos protection by AWS shield.

AWS Outposts:

AWS Outposts are “server racks” that offers the same AWS infrastructure, services, APIs & tools to build your own applications on-premises just as in the cloud.

AWS will setup and manage “Outposts Racks” within your on-premises infrastructure and you can start leveraging AWS services on-premises

You are responsible for the Outposts Rack physical security.

Benefits:

  • Low-latency access to on-premises systems
  • Local data processing
  • Data residency
  • Easier migration from on-premises to the cloud
  • Fully managed service
  • Some services that work on Outposts: Amazon EC2, Amazon EBS, Amazon S3, Amazon EKS, Amazon ECS, Amazon RDS, Amazon EMR.

AWS WaveLength:

  • WaveLength Zones are infrastructure deployments embedded within the telecommunications providers’ datacenters at the edge of the 5G networks
  • Brings AWS services to the edge of the 5G networks
  • Use cases: Smart Cities, ML-assisted diagnostics, Connected Vehicles, Interactive Live Video Streams, AR/VR, Real-time Gaming, …

AWS Local Zones:

  • Places AWS compute, storage, database, and other selected AWS services closer to end users to run latency-sensitive applications.
  • Extend your VPC to more locations – “Extension of an AWS Region

=========================================================

10. Containers in AWS Cheat Sheet

  • Elastic Container Service(ECS)
  • Elastic Container Registry (ECR)
  • Elastic Kubernetes Service (EKS)
  • Fargate

Docker Repositories where we stores docker images.

Docker hub= public repository

Amazon Elastic Container Registry (ECR):private repository.

Amazon Elastic Container Service (ECS): launch ECS tasks on ECS cluster. ECS launch types are :

  1. EC2 Type: you must provision and maintain the EC2 instances. Each EC2 instances must run ECS agent to register in the ECS cluster.
  2. Fargate Launch Type: It is all serverless. No need to provision and maintain. Just create the tasks. To scale just increase the number of tasks.

Amazon ECS – IAM roles:

  1. EC2 Instance profile: EC2 launch configuration. Used by ECS agent and pulls docker images from EC2. It sends container logs to cloud watch. Makes API calls to ECS. Reference sensitive data in secrete manager and SSM parameter store.
  2. ECS Task Role: Allows each tasks to have specific role. Can use different role for different tasks.

Amazon ECS Integration with Load Balancers:

  1. Application Load Balancer – for most of the cases
  2. Network Load Balancer – for high throughput and high performance or to pair with private link.
  3. Elastic Load Balancer – supported but not recommended.

Amazon ECS – Data Volume: EFS. Works for both EC2 and fargate launch types. Fargate _ EFS = serverless. Persistent multi AZ shared storage for your container. S3 can not be mounted as file system.

ECS Service -Auto Scaling: Fargate auto scaling is much easier as it is serverless. ECS auto scaling is not same as EC2 auto scaling group. Ec2 Launch type auto scaling: 1) EC2 auto scaling group 2) EC2 Cluster capacity provider: Used to automatically provision and scale infrastructure for ECS tasks. Add EC2 instances when you are missing capacity.

Amazon ECR – Elastic Container Registry: stores and manages docker images. Fully integrated with ECS and backed by S3. Supports image vulnerability scanning, versioning etc.

Amazon EKS:

  • Elastic Kubernetes Service
  • Managed kubernetes on AWS
  • An alternative to ECS
  • Supports: 1) EC2 – to deploy worker node 2) Fargate – to deploy serverless architecture.
  • Kubernetes is cloud agnastic.
  • Collect logs and metric using cloud watch container insights.
  • Fargate: serverless

  • Amazon EKS – Data Volume: Need to specify storage class. Container storage interface. Supports: 1) EBS 2) EFS 3) FSx for Lustre 4) FSx for NetApp ONTAP.

Amazon EKS – Node Types:

Managed Node Group: On EC2 instances and part of ASG. Support on-demand and spot instances.

Self Managed Node: Nodes created by you and registered to EKS cluster and managed by ASG. Supports on-demands and spot instances. EKS optimized AMI.

=========================================================

11. Analytics in AWS Cheat Sheet

  • QuickSight, Kinesis, Elastic Map Reduce (EMR)
  • Data Pipeline, Cloud Search
  • Other services – Athena, Elastic Search, Sage makers

=========================================================

12. Serverless Services in AWS Cheat Sheet

  • DynamoDB, API Gateway
  • Lambda, Lambda @Edge, Fargate
  • Amazon S3, EFS, AppSync
  • Aurora Serverless, RDS Proxy, Athena
  • SQS, SNS
  • Kinesis, Step Function, Event Bridge

AWS Lambda:

  • Virtual function. Function as a Service (FaaS), serverless.
  • Runs on demand and scaling is automated.
  • Lambda Container Image: The container images must implement “Lambda Runtime API”.
  • AWS Lambda Pricing: 1) Pay per calls – 0.20$ per 1 million request 2) Pay per duration.

AWS Lambda Limits – Per region:

Execution Limits: Size of env variable – 4KB. Memory allocation= 128 MB – 10 GB.

Max execution time 9000 sec ie 15 min. Disk capacity (/tmp)= 512 MB – 10 GB. Concurrency execution 1000s

Deployment Limits: /tmp can be used. Environment variable size=4KB

Deployment size compressed = 50 MB. Deployment size uncompressed =250 MB

Lambda @ Edge:

Along with Cloud Front

Can use lambda to change the cloud front request and response.

1) Viewer Request: After cloud front receives a request from viewer.

2) Origin Request: Before cloud front forwards a request to the origin.

3) Origin response: After cloud front receives the response from the origin

4) View response: Before cloud front forwards the response to viewer.

Lambda with RDS Proxy: Lambda function must be deployed in your VPC because RDS proxy is never publicly accessible. With RDS proxy, it improves scalability by pooling and sharing DB connection. Improve availability by reducing 66% failover time by storing connection.

AWS API Gateway:

  • Rest API, serverless, support for web socket.
  • Handles API versioning
  • Creates API keys and handles request throttling.
  • Cache API Response
  • AWS Lambda + API GW = serverless
  • AWS API Gateway Integration with 1) Lambda 2) HTTP endpoints 3) AWS Service.

API Gateway Endpoints:

  1. Edge Optimized: for global clients. Requests are routed through cloud front edge location and API gateway still lives in a region.
  2. Regional: Clients within same region. For more control over caching.
  3. Private: can be accessed from your VPC using an interface VPC endpoint.

AWS Step Functions:

Build serverless visual workflow to orchestrate your lambda functions. Possibility of implementing human approval features. Features are sequence, parallel conditions, timeout, error handling etc. Use cases: order fulfilment, data processing etc.

AWS SQS (Simple Queue Service): Fully managed service used to decouple the application. Default retention of messages is 4 days maximum up to 14 days.

AWS SNS (Simple Notification Service): pub-sub module with topic features.

Amazon Kinesis:

real-time big data streaming. Managed service to collect, process and analyze the real-time streaming at any scale.

Kinesis data stream–> low latency streaming to ingest data at high scale from hundreds of thousands of sources.

Kinesis Data firehose–>load streams into S3, Redshift, elastic search etc.

Kinesis Data Analytics –> performs real-time analytics on streams using SQL.

Kinesis Video Streams –> monitor real-time video stream for analytics or ML.

=========================================================

13. Management and Governancein AWS Cheat Sheet

AWS Backup:Fully managed service to centrally manage and automate backups across AWS services. Supports point-in-time-recovery (PITR), Cross region backup and cross account backups. On demand and scheduled backups.

AWS Config: Helps with auditing and recording compliance of your AWS resources. Helps record configurations and changes over time.

AWS Systems Manager (SSM): is a hybrid service, helps you manage your EC2 and On-Premises systems at scale. Get operational insights about the state of your infrastructure.

Features are: Patching automation for enhanced compliance, Run commands across an entire fleet of servers.

Systems Manager – SSM Session Manager: hybrid service, allows you to start a secure shell on your EC2 and on-premises servers. No SSH access, bastion hosts, or SSH keys needed. No port 22 needed (better security). Send session log data to S3 or CloudWatch Logs.

AWS Resource Access Manager (RAM):RAM is a service that enables you to share AWS resources easily and securely with any AWS account or within your AWS Organization.

You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM.

Key benefits: 1) Reduce Operational Overhead 2) Improve Security and Visibility 3) Optimize Costs

AWS Automatic Scaling Group (ASG):

Vertical Scalability –> Increasing in EC2 instance like from t2.micro to m5.large (scale up or down)

Horizontal Scalability –> Adding more similar type of Instance (scale in/out)

Auto Scaling Groups – Scaling Strategies:

Manual Scaling: Update the size of an ASG manually.

Dynamic Scaling: Respond to changing demand

A) Simple/Step Scaling

B) Target Tracking Scaling

C) Scheduled Scaling

D) Predictive Scaling

Trusted Advisor:

  • No need to install anything – high level AWS account assessment
  • Analyze your AWS accounts and provides recommendation on 5 categories
  • Cost optimization
  • Performance
  • Security
  • Fault tolerance
  • Service limits (Service Quotas)

Trusted Advisor – 7 Core Checks:

1) S3 Bucket Permissions

2) Security Groups

3) IAM Use

4) MFA on root account

5) EBS Public snapshot

6) RDS Public snapshot

7) Service Quata (Service limits)

CloudFormation (IaaS): CloudFormation is a declarative way of outlining your AWS Infrastructure, for any resources. For example, within a CloudFormation template, you say: I want a security group, two EC2 instances using this security group, an S3 bucket and I want a load balancer (ELB) in front of these machines.Then CloudFormation creates those for you, in the right order, with the exact configuration that you specify.

AWS CloudTrail:

  • Provides governance, compliance, and audit for your AWS Account
  • CloudTrail is enabled by default!
  • Get an history of events / API calls made within your AWS Account by: • Console, • SDK, • CLI, • AWS Services
  • Can put logs from CloudTrail into CloudWatch Logs or S3
  • A trail can be applied to All Regions (default) or a single Region.
  • If a resource is deleted in AWS, investigate CloudTrail first!

CloudTrail Events:

  1. Management Events: Operations that are performed on resources in your AWS account. Examples:Configuring security (IAM AttachRolePolicy), Configuring rules for routing data (Amazon EC2 CreateSubnet), Setting up logging (AWS CloudTrail CreateTrail). By default, trails are configured to log management events.Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)
  2. Data Events:By default, data events are not logged (because high volume operations). Amazon S3 object-level activity (ex: GetObject, DeleteObject, PutObject): can separate Read and Write Events. AWS Lambda function execution activity (the Invoke API).
  3. CloudTrail Insights Events: Enable CloudTrail Insights to detect unusual activity in your account: inaccurate resource provisioning, hitting service limits, Bursts of AWS IAM actions, Gaps in periodic maintenance activity. CloudTrail Insights analyzes normal management events to create a baseline. And then continuously analyzes write events to detect unusual patterns. Anomalies appear in the CloudTrail console. –Event is sent to Amazon S3. An EventBridge event is generated (for automation needs)

CloudTrail Events Retention: Events are stored for 90 days in CloudTrail. To keep events beyond this period, log them to S3 and use Athena.

AWS Organizations:

Global service, Allows to manage multiple AWS accounts

The main account is the master account and other accounts called child accounts.

AWS Organizations Cost Benefits:

  • Consolidated Billing across all accounts – single payment method
  • Pricing benefits from aggregated usage (volume discount for EC2, S3…)
  • Pooling of Reserved EC2 instances for optimal savings
  • API is available to automate AWS account creation
  • Restrict account privileges using Service Control Policies (SCP)

Multi Account Strategies: Create accounts per department, per cost center, per dev / test / prod, based on regulatory restrictions (using SCP), for better resource isolation (ex: VPC), to have separate per-account service limits, isolated account for logging.

Service Control Policies (SCP):

Whitelist or blacklist IAM actions

Applied at the OU or Account level

Does not apply to the Master Account

SCP is applied to all the Users and Roles of the Account, including Root user

The SCP does not affect service-linked roles-> Service-linked roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCPs.

SCP must have an explicit Allow (does not allow anything by default)

Use cases: 1) Restrict access to certain services (for example: can’t use EMR) 2) Enforce PCI compliance by explicitly disabling services.

AWS Organization – Consolidated Billing:

When enabled, provides you with: Combined Usage – combine the usage across all AWS accounts in the AWS Organization to share the volume pricing, Reserved Instances and Savings Plans discounts.

One Bill – get one bill for all AWS Accounts in the AWS Organization

The management account can turn off Reserved Instances discount sharing for any account in the AWS Organization, including itself.

AWS Control Tower:

Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices.

Benefits:

  • Automate the set up of your environment in a few clicks.
  • Automate ongoing policy management using guardrails.
  • Detect policy violations and remediate them.
  • Monitor compliance through an interactive dashboard.
  • AWS Control Tower runs on top of AWS Organizations: It automatically sets up AWS Organizations to organize accounts and implement SCPs (Service Control Policies)

=========================================================

14. Security Services in AWS Cheat Sheet

1. AWS Shield: Protects from DDos Attack.

Standard – free, automatically enabled for all customer, protects against SYN/UDP flood & layer3/4 attacks.

Advanced – 24*7 premium, DDos Response Team(DRT), protect against higher fees during DDos attack.

2. AWS WAF (Web Application Firewall):

  • Filter specific request based on rules.
  • Protect against common web attacks i.e. layer 7 attacks
  • Protect against SQL injection and cross-site scripting (XSS)
  • Deployed on the top of ALB, API Gateway and cloudfront.

3. AWS KMS – AWS Key management System:

Symmetric (AES 256 key): Single encryption key used for encryption and decryption. AWS services uses KMS symmetric key.

Asymmetric (RSA & ECC Key): Public (Encrypt) and private (Decrypt) key pair. Used for encryption/decryption or sign/verify.

AWS-managed KMS Key: automatic every 1 year.

4. Cloud HSM: provision encrypted hardware which can be used by customer to store keys. It is temper resistant, FIPS level-3 compliance.

5. AWS Certificate Manager: used to store TLS/SSL certificates

6. AWS Secrete Manager: store secret like database password and has capabilities to force the rotation of secrete after x days.

7. AWS Artifact: used for compliance and auditing.

AWS Artifact Reports provide reports such as PCI, ISO, SOC etc. AWS Artifact Agreement BAA, HIPPA

8. AWS Guard Duty: Intelligent threat discovery & malicious behavior.

9. AWS Inspector: Automated, security assessment, vulnerabilities, unintended network access etc.

10. AWS Config: record configuration and changes over time. Auditing & recording compliance of your AWS resources.

11. AWS Macie: Protect sensitive data or personally identifiable data

12. Amazon Security Hub:Central security tool to manage security across several AWS account & automate security assessment. Aggregate personal findings from guard duty, inspector, Macie, SSM, IAM access analyzer etc.

13. Amazon Detective: Analyze, investigate and quickly identifies the root cause of security issues.

14. AWS Firewall Manager:Manage rules in all accounts of an AWS Organization.

15. AWS CloudTrailProvides governance, compliance and audit for your AWS Account.

  • If a resource is deleted in AWS, investigate CloudTrail first.
  • CloudTrail is enabled by default! Get an history of events / API calls made within your AWS Account.
  • CloudTrail Events: A) Management Events: By default, trails are configured to log management events. B) Data Events: By default, data events are not logged C) CloudTrail Insights Events:

16. Organizations: Global service, allows to manage multiple AWS account.

  • Consolidated billing across all account.
  • Pricing benefits from aggregated usage.
  • Pooling of reserved instances for optimal savings.
  • Restrict account privileges by using SCP – service control policies

17. Resource Access Manager:AWS RAM to share resources with other AWS accounts. AWS RAM used – Lower operational costs,Security management has been simplified, Extensive experience, Audit and visibility.

Penetration Testing: AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services. For other AWS services penetration, customer needs to take approval from AWS.Permitted Services:

  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateways
  • AWS Fargate
  • AWS Lambda and Lambda Edge functions
  • Amazon Lightsail resources
  • Amazon Elastic Beanstalk environments

Prohibited Actions During Penetration Testing are:

  • DNS zone walking via Amazon Route 53 Hosted Zones
  • Denial of Service (DoS), Distributed Denial of Service, Simulated DoS, Simulated DDoS
  • Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)

AWS Abuse: Report suspected AWS resources used for abusive or illegal purposes.

The AWS acceptable use policy(aup)is a policy that is applicable to all the customers of AWS cloud services. The policy states:

  • No illegal, Harmful or Offensive use or Content
  • No security violations
  • No Network abuse
  • No E-mail or Message Abuse
  • Every organization will have to adhere to these rules when shifting their organization and it’s applications to AWS cloud.

=========================================================

15. Migration and TransferServices in AWS Cheat Sheet

AWS Migration Hub:

  • AWS Migration Hub provides a central location to collect server and application inventory data for the assessment, planning, and tracking of migrations to AWS. Migration Hub can also help accelerate application modernization following migration.
  • Use cases: 1) Assess and plan your migration 2) Automate lift-and-shift migrations to AWS 3) Refactor legacy applications

AWS Server Migration Service:

  • AWS Server Migration Service (AWS SMS) automates the migration of your on-premises VMware vSphere, Microsoft Hyper-V/SCVMM, and Azure virtual machines to the AWS Cloud.
  • AWS SMS incrementally replicates your server VMs as cloud-hosted Amazon Machine Images (AMIs) ready for deployment on Amazon EC2.
  • An agentless service for migrating thousands of on-premises workloads to AWS. This is the enhanced replacement of Amazon EC2 VM Import service.

AWS Database Migration Service:

  • Quickly and securely migrate databases to AWS, resilient, self healing.
  • The source database remains available during the migration
  • Supports: 1) Homogeneous migrations: ex Oracle to Oracle 2) Heterogeneous migrations: ex Microsoft SQL Server to Aurora
  • Continuous Data Replication using CDC
  • AWS Schema Conversion Tool (SCT): Convert your Database’s Schema from one engine to another. Example OLTP: (SQL Server or Oracle) to MySQL, PostgreSQL, Aurora

AWS Data Sync:

  • Is used to move large amount of data to and from AWS.
  • On premise/other cloud to AWS: needs data sync agent.
  • AWS to AWS: no data sync agent needed.
  • Can synchronize to – Amazon S3, Amazon EFS and Amazon FSx.
  • Replication can be scheduled hourly, daily, or weekly.
  • File permissions and metadata are preserved.

AWS Transfer Family:

  • A fully managed service for file transfer in and out of S3 or EFS using FTP protocol.
  • Managed infrastructure, scalable, reliable, and highly available.
  • Pay per provisioned endpoint per hour + data transferred in GB.
  • Supported protocol are:
    1. AWS transfer for FTP.
    2. AWS transfer for FTPS.
    3. AWS transfer for SFTP.

AWS Snow Family:

Highly secure, portable devices to collect and process data at the edge and migrate data in and out of AWS.

Data Migration: 1) Snowcone 2) Snowball Edge 3) Snowmobile

Edge Computing: 1) Snowcone2)Snowball Edge

AWS Snowcone:

  • Small, portable computing anywhere. Rugged and secure withstand hard environment.
  • Device is used for edge computing, storage and data transfer.
  • 8TB’s of usable storage.
  • Use snowcone where snowball doesn’t fit like space contained env.
  • Must provide own battery and cable.
  • Can be send back to AWS offline or connect it to internet and use AWS data sync to send data.

AWS Snowball Edge:

  • For data transfer
  • Move TB’s or PB’s of data in and out of AWS.
  • Pay per data transfer job
  • Provide block storage and amazon S3 compatible object storage.

1) Snowball Edge storage Optimized: 80 TB of HDD capacity.

2) Snowball Edge Compute Optimized: 42 TB of HDD capacity.

  • Use cases: 1) large data cloud migration 2) DC decommission 3) Disaster recovery.

AWS Snowmobile:

  • Transfer exabytes of data.
  • Each snowmobile has 100PB’s of capacity.
  • High security, temperature, controlled GPS, 24/7 video surveillance.
  • Better than snowball if you transfer more than 10 PB.

Snow Family – Edge Computing:

Snowcone (smaller): 2 CPU, 4 GB memory, wired or wireless access. USB-C power cable.

Snowball Edge – compute Optimized: 52 vCPU, 208 GiB of RAM. 42 TB of usable storage.

Snowball Edge – storage Optimized: upto 40 vCPU, 80GiB of RAM. Object storage clustering available.

AWS OpsHub: A software you installed on your computer or laptop to manage your snow family.

=========================================================

16. Machine Learning Services in AWS Cheat Sheet

  1. Amazon Rekognition: Face detection, recognizing objects, celebrity.
  2. Amazon Transcribe: Converts speech to text. For example, subtitle.
  3. Amazon Polly: Opposite of Amazon Transcribe, converts text to speech.
  4. Amazon Lex: Amazon Alexa. Converts speech to text.
  5. Amazon Connect: Cloud contact center, virtual contact center.
  6. Amazon Translate: Same as google translator, translate in different languages.
  7. Amazon Kendra: Document search service.
  8. Amazon Comprehend: NLP-Natural Language Processing.
  9. Amazon Sagemaker: Build machine learning service.
  10. Amazon forecast: Forecasting, future sales of rain coat.
  11. Amazon Personalize: for personalization.
  12. Amazon Textract: Extracting data from any documents.

=========================================================

17. Development Tools in AWS Cheat Sheet

AWS CodeDeploy: is a hybrid service which deploy our application on EC2 instances and on-premise servers.

AWS CodeCommit: is a Source-control service that hosts Git-based repositories to store code.

AWS CodeBuild:Code building service in the cloud. It compiles source code, run tests, and produces packages that are ready to be deployed.

AWS CodePipeline:Orchestrate the different steps to have the code automatically pushed to production. Code => Build => Test => Provision => Deploy. Basis for CICD (Continuous Integration & Continuous Delivery)

Fast delivery & rapid updates. Fully managed, compatible with CodeCommit, CodeBuild, CodeDeploy, Elastic Beanstalk, CloudFormation, GitHub, 3rd-party services (GitHub…) & custom plugins.

AWS CodeArtifact:CodeArtifact is a secure, scalable, and cost-effective artifact management for software development. Storing and retrieving code dependencies is called artifact management

Developers and CodeBuild can then retrieve dependencies straight from CodeArtifact.

AWS CodeStar:Unified UI to easily manage software development activities in one place. “Quick way” to get started to correctly set-up CodeCommit, CodePipeline, CodeBuild, CodeDeploy, Elastic Beanstalk, EC2, etc.

AWS Cloud9: AWS Cloud9 is a cloud IDE (Integrated Development Environment) for writing, running and debugging code. A cloud IDE can be used within a web browser, meaning you can work on your projects from your office, home, or anywhere with internet with no setup necessary. AWS Cloud9 also allows for code collaboration in real-time (pair programming)

AWS Systems Manager (SSM): is a hybrid service, helps you manage your EC2 and On-Premises systems at scale. Get operational insights about the state of your infrastructure.

Features are: Patching automation for enhanced compliance, Run commands across an entire fleet of servers

Systems Manager – SSM Session Manager:hybrid service, allows you to start a secure shell on your EC2 and on-premises servers.

No SSH access, bastion hosts, or SSH keys needed. No port 22 needed (better security). Send session log data to S3 or CloudWatch Logs.

AWS OpsWorks: Managed Chef & Puppet help you perform server configuration automatically, or repetitive actions.

CloudFormation (IaaS): CloudFormation is a declarative way of outlining your AWS Infrastructure, for any resources. For example, within a CloudFormation template, you say: I want a security group, two EC2 instances using this security group, an S3 bucket and I want a load balancer (ELB) in front of these machines.Then CloudFormation creates those for you, in the right order, with the exact configuration that you specify.

AWS Cloud Development Kit (CDK): is used to define your cloud infrastructure using a familiar language: • JavaScript/TypeScript, Python, Java, and .NET. The code is “compiled” into a CloudFormation template (JSON/YAML). You can therefore deploy infrastructure and application runtime code together.

AWS Elastic Beanstalk: Elastic Beanstalk is a developer centric view of deploying an application on AWS. Beanstalk is Platform as a Service (PaaS) and is free but you pay for the underlying instances.Elastic Beanstalk – Health Monitoring: Health agent pushes metrics to CloudWatch. Checks for app health, publishes health events. Three architecture models:

• Single Instance deployment: good for dev

• LB + ASG: great for production or pre-production web applications

• ASG only: great for non-web apps in production (workers, etc..)

=========================================================

Thanks for reading “AWS Solutions Architect Associate Cheat Sheet“!!

I hope “AWS Solutions Architect Associate Cheat Sheet” has help you enough in preparation for the exam. Please also refer to the FAQ from Amazon official site. Like

S3 FAQ: here

VPC FAQ: here

To learn more, refer Amazon Web Service – AWS Tutorial

 Good Luck !!