AWS SysOps - keshavbaweja-git/guides GitHub Wiki

CloudWatch offers basic monitoring and detailed monitoring. For basic monitoring, data is available automatically in 5-minute periods at no charge. For detailed monitoring, data is available in 1-minute periods for an additional charge.

Amazon RDS uses Amazon SNS to provide notification when an RDS event occurs. These notifications can be in any notification form that is supported by Amazon SNS for an AWS Region, such as an email message, a text message, or a call to an HTTP endpoint.

For CloudWatch agent to push logs to CloudWatch, EC2 Instance profile must be associated with an IAM role that has appropriate permissions.

Amazon ElastiCache cluster does not have ASGs associated. Nodes can be added or removed by cli/console.

When an EBS-backed instance that is scheduled for a maintenance event is stopped and restarted, AWS will restart the instance on different hardware that does not require maintenance.

The required-tags managed rule will report on resources that are not tagged according to the definitions that are set within the AWS Config rule. However, the rule is not connected to the tag policy that is set on the organization level.

Amazon EventBridge (Amazon CloudWatch Events) can check for noncompliant resources according to the organization policy that is in place. You can use EventBridge (CloudWatch Events) to monitor when noncompliant tags are introduced.

Security Groups are stateful, so if inbound traffic to an EC2 instance is allowed/successful, the return outbound traffic is also allowed.

Network ACLs are not stateful and traffic must be enabled in both directions.

Restored snapshots require initialization. For EBS volumes that are created from snapshots, the storage blocks must be pulled down from Amazon S3 and must be written to the volume before the data can be accessed. This preliminary action takes time and can cause a significant increase in the latency of I/O operations the first time each block is accessed. Volume performance is achieved after all blocks have been downloaded and written to the volume.

To avoid this initial performance decline in a production environment, the following options are available:

  • Force the immediate initialization of the entire volume.
  • Activate fast snapshot restore on a snapshot to ensure that the EBS volumes that are created from it are fully initialized at creation and instantly deliver all of their provisioned performance.

Amazon ElatiCache Redis

  • Cluster mode disabled - one node group(shard) with one primary and up to 5 read replicas
  • Cluster mode enabled - up to 500 node groups(shards) with one primary and up to 5 read replicas in each node group

EC2 Launch templates can be versioned, EC2 Launch configurations can't be versioned.

With EC2 ASG lifecycle hooks, you can perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. When an instance is paused, the instance remains in a wait state until you complete the lifecycle action by using the complete-lifecycle-action command or the CompleteLifecycleAction operation, or until the timeout period ends (1 hour by default).

Simple scaling policies can be configured to take action when a CloudWatch alarm is active. Simple scaling policies can be configured to scale in or out, and they repeat the action during a set time interval. These policies scale a fixed number of instances.

Amazon Data Lifecycle Manager (DLM) can be used to automate the creation, retention, and deletion of EBS snapshots and EBS-backed Amazon Machine Images (AMIs).

AWS Budgets is used to monitor and alert on costs, and can be used at the account level.

When S3 Versioning is enabled, a simple delete request cannot permanently delete an object. Instead, Amazon S3 inserts a delete marker in the S3 bucket, and that marker becomes the current version of the object with a new version ID. Even though the aws s3 ls command shows no output, the original file still exists. Before the S3 bucket can be removed, you must delete all objects that have a delete marker by using their version IDs.

To retain a RDS DB when the associated CF stack is deleted - set DeletionPolicy attribute of RDS resource in CF template to Retain.

Systems Manager Patch Manager automates the process of patching managed instances with security-related updates and other types of updates. You can use Patch Manager to apply patches for operating systems and applications. Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task. You also can install patches individually or to large groups of instances by using EC2 tags.

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.

AWS Network Firewall can be configured to be stateful or stateless. However, Network Firewall works on the VPC level and not lower.

Traffic Mirroring allows for deep packet inspection, Traffic Mirroring must be set up on the elastic network interface, not the VPC. Traffic Mirroring copies inbound and outbound traffic from the network interfaces that are attached to Amazon EC2 instances. You can send the mirrored traffic to the network interface of another EC2 instance, or to a Network Load Balancer that has a UDP listener. Filters can reduce the traffic that gets mirrored.

CloudFront Origin Shield can help improve the cache hit ratio of your CloudFront distribution, because it provides an additional layer of caching in front of your origin.

Zonal RIs and Regional RIs have a minimum commitment period of 1 year. Savings Plans do not provide capacity reservation. On-Demand capacity reservation allows EC2 instances to be reserved in a AZ for any duration.

Tags that are applied to S3 objects can't be tracked as cost allocation tags.

There are three types of placement groups: cluster, partition, and spread. Cluster placement groups provide the closest physical placement of instances. Instances in the same cluster placement group have a higher throughput limit for each flow for TCP/IP traffic and are placed in the same high-bisection bandwidth segment of the network. Cluster placement groups are Single-AZ deployments only.

When resiliency is most important, partition and spread placement groups provide options of Multi-AZ or Single-AZ deployments while ensuring that individual nodes run on separate racks. Partition placement groups divide the cluster into three partitions that are physically separated in the Availability Zone. Spread placement groups place each instance on its own rack inside the Availability Zone. Service quotas can be a factor in the selection of a placement group.

An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead. An egress-only internet gateway also prevents the internet from initiating an IPv6 connection with instances.

A Multi AZ RDS deployment improves availability but not performance, as the primary instance specs remain the same and the standby replica does not handle any traffic.

To improve performance of RDS DB instance - increase size of DB instance, create read replicas.

CloudFront does not have a geolocation routing feature. You can use CloudFront to restrict content delivery through geographic blocking, but this feature does not address routing.

General Purpose EBS SSD storage provides a balance of price and performance. It can burst up to 3,000 IOPS for extended periods of time.

DynamoDB can function as a session store. The main benefits of DynamoDB are its ability to scale reliably to millions of concurrent users and requests while ensuring consistently low latency that is measured in single-digit milliseconds. In addition, as a fully managed service, DynamoDB has no operational overhead. The company's developers can focus on their development instead of database management.

When an instance is terminated, the value of the DeleteOnTermination attribute for each attached EBS volume determines whether to preserve or delete the volume. By default, the DeleteOnTermination attribute is set to True for the root volume. By default, the DeleteOnTermination attribute is set to False for all other volume types. To preserve the root volume when an instance is terminated, change the DeleteOnTermination attribute for the root volume to False.

The maximum throughput of a Site-to-Site VPN connection is 1.25 Gbps. If you need higher throughput, you could use equal cost multipath (ECMP) routing. ECMP routing is available for VPN connections that are attached to a transit gateway. With ECMP routing, you can aggregate multiple VPN connections to achieve a higher effective throughput.

Amazon Cognito user pools are user directories that provide sign-up and sign-in options for web users and mobile app users. You can add MFA to Amazon Cognito user pools for secondary validation.

When you launch an RDS instance with encryption enabled, logs and backups are automatically encrypted.

AWS Config conformance packs are collections of AWS Config rules and remediation actions that you can deploy as a single entity in an account and a Region or across an organization in AWS Organizations.

You can make a change with the EC2 ModifyVolume action without incurring any volume downtime, allowed actions - change volume type, increase volume size. CloudWatch GetMetricData action can show the IOPS and throughput of an io1 volume to help you determine if the io1 volume is a good candidate for modification to a lower-cost volume type.

STS

By default AWS STS is a global service with endpoints hosted in us-east-1. AWS recommends to use regional AWS STS endpoints to reduce latency, built in redundancy and increase session toke validity.

GetFederationToken: Returns a set of temporary security credentials for a federated user. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application.

SQS

SQS Standard Queues offer more throughput that SQS FIFO queues.

A Lambda function can be triggered for every message received in a SQS queue.

To delete a message from SQS queue, specify ReceiptHandle of the message and not Message Id.

Messages in SQS queue are not encrypted by default, you can enable encryption