AWS SAA 学习笔记

前言

因工作内容需要，需要大量基于aws去构建系统。因为此前没有aws的任何经验，最近学习了一波aws的一些服务，顺便报了一下soa的考试。

image.png

在学完aws各种服务的作用之后，准备考试就离不开练习。我用了下述材料。

下属知识点 来自于这份试卷

个人比较推荐，因为这份试卷的题目，背后都有详细的解答，每道题为什么要选这个，为什么不选其他的。个人观点，对aws的基本服务都了解后，把这份试卷里的知识点都搞清楚。过考试应该问题不大。

EC2 instance standby state

image.png

ALB Routing Method

• Host-based Routing: the Host field of the HTTP header

• Path-based Routing: the URL path

• HTTP header-based routing: the value of any standard or custom HTTP header.

• HTTP method-based routing: any standard or custom HTTP method.

• Query string parameter-based routing: query string or query parameters.

• Source IP address CIDR-based routing: source IP address CIDR from where the request originates.

• Path-based Routing Overview: You can use path conditions to define rules that route requests based on the URL in the request (also known as path-based routing).

ASG rebalance 策略

image.png

RDS 维护

image.png

• 硬件 如果是MULTI-AZ ， 无DOWNTIME
• OS 如果是MULTI-AZ, 无DOWNTIME
• DB Engine, 无论如何都有downtime

HPC

Elastic Fabric Adapter (EFA)是Amazon EC2实例的网络接口，它允许客户在AWS上运行需要高级别节点间通信的应用程序。其定制的操作系统(OS)旁路硬件接口提高了实例间通信的性能，这对扩展这些应用程序至关重要。

限制可以看的资源

Many companies that distribute content over the internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee.

To securely serve this private content by using CloudFront, you can do the following:

Require that your users access your private content by using special CloudFront signed URLs or signed cookies.

image.png

Amazon FSx for Windows File Server

支持

• industry-standard Service Message Block (SMB) protocol
• user quotas
• end-user file restore
• Microsoft Active Directory (AD) integration

Route 53 policy

image.png

RDS Deployment

image.png

snowball vs snowmobile

snowball 80TB 的存储。 snowmobile 至少10PB

direct connect 非常COST

Direct Connect involves significant monetary investment and takes several months to set up

S3 Transfer Acceleration (S3TA) Overview

image.png

Price for storage

With Amazon EFS, you pay only for the resources that you use. The EFS Standard Storage pricing is 0.30 for the month.

For EBS General Purpose SSD (gp2) volumes, the charges are 0.10*100 = $10. This cost is irrespective of how much storage is actually consumed by the test file.

For S3 Standard storage, the pricing is 0.023.

AURORA 选主策略

1. 首先比较谁的tier 低（越低，优先级越高）
2. 然后相同tier，看谁的size 大
3. 如果还一样，任意选1个。

kinesis firehose vs analytics vs glue job vs spark streaming

• Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools
• Amazon Kinesis Data Analytics is the easiest way to analyze streaming data in real-time. the input is usually from Kinesis stream or firehose
• AWS Glue job is meant to be used for batch ETL data processing and it's not the right fit for a near real-time data processing use-case.
• Using an EMR cluster would imply managing the underlying infrastructure

AWS Lambda 最高并发执行度是1000，可以找AWS support to raise the account limit

spread placement group config

A spread placement group can span multiple Availability Zones in the same Region. You can have a maximum of seven running instances per Availability Zone per group. Therefore, to deploy 15 EC2 instances in a single Spread placement group, the company needs to use 3 AZs.

AWS Storage gateway choice

• iSCSI block storage volumes -> volume
• NFS -> file
• moving tape backups -> tape

AWS root account security

• better to enable Multi Factor Authentication (MFA) for privileged users via an MFA-enabled mobile device or hardware MFA token
• turn on CloudTrail to log all IAM actions for monitoring and audit purposes
• user account credentials should not be shared between users
• recommends granting the least privileges required to complete a certain job

• recommended to use roles to grant access permissions for EC2 instances working on different AWS services

  
  image.png

HOW ASG life cycle work

image.png

AMI

image.png

delete a CMK

image.png

S3 Versioning

image.png

Tuning S3

image.png

direct connect

• establish a dedicated, encrypted, low latency, and high throughput connection between its data center and AWS Cloud
• encrypted need a VPN

• low latency, and high throughput need direct connection

  
  image.png

With AWS Direct Connect plus VPN, you can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.

orgnaization SCP

Secrets Manager vs SSM Parameter Store

前者专门用来存密码的，后者范围更广也可以存密码。但是前者提供auto-rotate 功能，后者需要手动。

NACL vs AWS-Shield Advanced vs WAF

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.

helps to block specific IPs. On top of things, NACLs are defined at the subnet level

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. (no rate-based rules)

RAM

AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.

S3 Strong consistency

all S3 GET, PUT, and LIST operations, as well as operations that change object tags, ACLs, or metadata, are strongly consistent. What you write is what you will read, and the results of a LIST will be an accurate reflection of what’s in the bucket.

spot blocks

Spot Instances with a defined duration (also known as Spot blocks) are designed not to be interrupted and will run continuously for the duration you select. This makes them ideal for jobs that take a finite time to complete, such as batch processing, encoding and rendering, modeling and analysis, and continuous integration.

AWS access policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

bastion host

Including bastion hosts in your VPC environment enables you to securely connect to your Linux instances without exposing your environment to the Internet. After you set up your bastion hosts, you can access the other instances in your VPC through Secure Shell (SSH) connections on Linux. Bastion hosts are also configured with security groups to provide fine-grained ingress control.

You need to remember that Bastion Hosts are using the SSH protocol, which is a TCP based protocol on port 22. They must be publicly accessible.

S3 partial fetch

Using the Range HTTP header in a GET Object request, you can fetch a byte-range from an object, transferring only the specified portion. You can use concurrent connections to Amazon S3 to fetch different byte ranges from within the same object. This helps you achieve higher aggregate throughput versus a single whole-object request. Fetching smaller ranges of a large object also allows your application to improve retry times when requests are interrupted.

with Amazon S3 Select, you can scan a subset of an object by specifying a range of bytes to query using the ScanRange parameter. This capability lets you parallelize scanning the whole object by splitting the work into separate Amazon S3 Select requests for a series of non-overlapping scan ranges. Use the Amazon S3 Select ScanRange parameter and Start at (Byte) and End at (Byte).

AWS on-premise backup

1. 如果你在on-premise环境有自己的backup and archive software能够使用S3提供的API。
   那意味着该软件是AWS认可的，可以直接backup，其他啥也不需要。

2. 如果这个软件没有natively support the AWS Cloud，可以使用can use AWS Storage Gateway

3. Storage Gateway的本质目标是让你在on-premise的系统可以直接接入scalable cloud storage

4. 你可以部署AWS Storage Gateway通过VM 或者专属硬件

5. storage gateway下有3种模式， file, tape, volume

   • File gateway 是在你有自己的backup application却无法使用S3 API时 想backup使用. 原理是它的SMB和NFS接口支持为IT group提供了一种将备份作业从现有的本地备份系统转移到云上的方法。对于必须快速恢复最近备份的文件的场景，它特别有用。因为通过SMB,NFS，用户可以像访问网络共享文件一样的去访问文件。通过object versioning, 还可以访问它的以前的版本。

   • volume gateway 是给你的本地system提供cloud-based iSCSI block storage volumes。它的备份是能够把你本地system的在一个时间点上的volume snapshot给存储进AWS上的EBS的snapshot.有了EBS snapshot，我们就可以在任意的EC2上attach它们，起到disaster recovery的效果。也正是因为基于了EBS snapshot，他就可以被aws backup去接管，去设计plan对它进行再备份。

     
     image.png

   AWS Backup 原理
   核心作用是提供备份功能，方便你去管理定制备份计划。

   1. 对其他支持的SERVICE， 通过系统内置的backup功能进行备份。
   2. 对EC2，会备份the root volume, all data volumes, instance configurations. 所以原理就是获取上述所有东西的snapshot，这些数据会被存放进EBS volume-backed AMI

   • tape gateway 会把到AWS S3的数据在3个AZ复制，达到11个9的持久性。要使用它关键是需要你本地backup application 支持iSCSI-based tape library interface，还要保证每个tape 至少要100 GB空间

image.png

AWS Global Accelerator vs Transfer Acceleration

Transfer Acceleration 可以吧文件放到edge location,同时兼容multipart upload

Global Accelerator 主要是帮你路由到最低延迟的区域，同时提供health check和DDOS保护

Global Accelerator vs CloudFront

都有DDOS保护

• cloudfront 主要是缓存图片和视频，动态内容。支持 HTTP/RTMP protocol
• GA 主要是适合 TCP/UDP；并且IP是静态的，需要确定的快速regional failover 使用GA

AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.

Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

direct connect vs site-2-site VPN

dc 是private的连接。

• direct connect 核心作用是建立一个专门的网络从自己的服务器到AWS。
  • Direct Connect Gateway: 需要连接到不同region下的多个VPC时用
• site-2-site 首先要在AWS这里建立virtual private gateway; 随后要在用户那边建立customer gateway. 然后就可以搭建一个VPN

interface endpoints vs gateway endpoints

• interface endpoints 是基于ENI 到一个你子网的private ip
• Gateway Endpoint 是直接注册进路由表，把你直接导过去的一个 gateway

IAM vs ACL vs SG vs S3 Bucket Policies

• S3 bucket policy

  • 可以对S3 BUCKET 内部的OBJECTS 添加或取消permission。 这些POLICY 可以给users, groups, buckets
  • 可以grant user within your aws account or other aws account
  • 可以基于给定的条件（如日期，是否SSL, IP条件）来给予权限

• IAM 主要是管理你自己ACCOUNT 下多个USER的不同权限的。

• ACL 只能确保别的AWS account 是否有权限来访问S3。不能指定具体的USER

• SG 是一个virutal firewall 来控制进出的traffic。

要从S3 Standrad 转移到其他存储至少需要30天

Amazon FSx for Lustre vs Amazon FSx for Windows File Server

lustre主要是处理ML, HPC， 视频处理， 财务模型。 它集成了S3，把S3 OBJECT 直接当作自己的FILE, 也允许直接透明的写回S3。
提供并行处理'hot data'用分布式的方式，也可以支持对'cold data'存储进S3。

Windows File Server 提供SMB 协议， 构建在windows server上。 提供的feature有 user quotas, end-user file restore, Microsoft AD integration.
不支持S3的集成。

ElastiCache redis vs memcache

• redis 支持online cluster resizing, encryption, HIPPA eligible, PCI DSS Compliant

• memcache 支持 Auto Discovery 帮助开发者在简化应用连接到集群时的时间

  
  redis_vs_memcache.png

LaunchTemplate vs Launch Configuration

都可以配置AM， instance type, key pair, security group.

不同之处

1. configuration 必须每次re-create
2. template 可以有多个version, 支持parameter 子集重用，可以混合on-demand and spot instances
3. template 可以使用 T2 unlimited burst feature

EC2 创建策略

EC2服务试图以这样一种方式放置实例，即所有实例都分散在底层硬件上，以最小化相关故障。
我们可以use placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload.

• Cluster: packs instances close together inside an Availability Zone
• Partition: 不同PARTION 不共享底层硬件
• Spread: 严格不共享底层硬件来最小化相关失败

VPC Peering, software VPN, VPN CloudHub, VPC Endpoint

• VPC Peering: 连接2个VPC的，不具备传递性，必须没有重复的CID。 可以做VPC peering with another AWS account。 必须更新路由表
• VPC Endpoint: 和内部AWS Service 直接通讯，而无需暴露public www network
• VPN CloudHub: 如果有多个 S2S VPN, 可以用这个技术
• Software VPN just handles connectivity between the remote network and Amazon VPC

NAT instance vs gateway

nat_instance_vs_gw.png

NLB 转发到目标的PRIVATE IPS

A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.

Request Routing and IP Addresses -

If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. The load balancer rewrites the destination IP address from the data packet before forwarding it to the target instance.

If you specify targets using IP addresses, you can route traffic to an instance using any private IP address from one or more network interfaces. This enables multiple applications on an instance to use the same port. Note that each network interface can have its security group. The load balancer rewrites the destination IP address before forwarding it to the target.

Dedicated Host vs Dedicated Instance

dedicate_host_vs_instance.png

On-demand vs Spot Instance

ondemand_spot_instance.png

Amazon VPC console wizard

支持4种模式

1. 单独的public subset, 如博客
2. public subset + private subset, 一个对外的服务，接一个在内网的数据库
3. public subset + private subset + Site-to-Site VPN access, 内网可以extend到其他的云服务那
4. private subset + Site-to-Site VPN access, 使用Amazon的基础设施将网络扩展到云中，而不向Internet公开网络

How WAF Works

waf.png

security groups

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance. The following are the characteristics of security group rules: By default, security groups allow all outbound traffic. Security group rules are always permissive; you can't create rules that deny access. Security groups are stateful.

IAM roles

IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don't have to share long-term credentials for access to a resource. Using IAM roles, it is possible to access cross-account resources.

RAM

VPC sharing (part of Resource Access Manager) allows multiple AWS accounts to create their application resources such as EC2 instances, RDS databases, Redshift clusters, and Lambda functions, into shared and centrally-managed Amazon Virtual Private Clouds (VPCs). To set this up, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.

You can share Amazon VPCs to leverage the implicit routing within a VPC for applications that require a high degree of interconnectivity and are within the same trust boundaries. This reduces the number of VPCs that you create and manage while using separate accounts for billing and access control.

transit gateway

he AWS Transit Gateway allows customers to connect their Amazon VPCs and their on-premises networks to a single gateway. As your number of workloads running on AWS increases, you need to be able to scale your networks across multiple accounts and Amazon VPCs to keep up with the growth. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network. AWS Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. This hub and spoke model simplifies management and reduces operational costs because each network only has to connect to the Transit Gateway and not to every other network.

root account vs admin user account

Some of the AWS tasks that only a root account user can do are as follows: change account name or root password or root email address, change AWS support plan, close AWS account, enable MFA on S3 bucket delete, create Cloudfront key pair, register for GovCloud.

user pool vs identity pool

user_id_pool.png

visibility timeout vs delay queue

一个是防止重复消费。一个是延迟消费

storage gateway

可以暴露S3作为存储使得自己的站点可以使用AWS S3作为存储
内置了3种GATEWAY，分别是file, volume, tape

使用spot instance 一些注意事项

• 创建spot instance request 是分为一次性和持久的
• 如果是一次性的，instance 被interrupt，这个request 就结束了
• 如果是持久的，这个request 会 reopen
• spot instances 又一个配置的时间（1～6小时）被称作spot blocks
• 他们被设计成不可中断的，只有在很少的情况下因为EC2 容量的需要会中段
• 一般来说cancel spot request 不会去terminate spot instance.
• 如果我们想cancel 一个持久的request,我们必须先cancel request, 再手动terminate spot instance

"AWS Managed Microsoft AD" vs "AD Connector" vs "Simple AD"

• 看到从自己站点的用户登入到AWS端，就选AD Connector
• 如果有超过5000用户，并且想建立一个trust relationship在自己的站点和AWS之间。就选AWS Managed Microsoft AD
• 如果用户少于5000，并且不需要一些高级的AD Features比如建立trust relationship 和 其他domain，那么就选Simple AD

launch configuration

• launch configuration 是用来管理ASG去启动ec2 instance的
• 你可以在里面定义AM，instance type, key pair, security group, block device mapping
• launch configuration的 tenancy 是null, 这个instance 的租期会被VPC的租期所控制
• 如果VPC的租期是dedicated，那么instance 的租期必定是dedicated
• 如果VPC的租期是default, 那么只有launch configuration 配的租期是dedicate，才会是dedicated, 不然就是 shared
• 租期分为3类
  • shared, 多个AWS 账户 share 同样的物理硬件
  • dedicated , 你的instance 跑在单租户的硬件上
  • host, 你的instance 跑在物理服务器上，还能自己控制configuration

kinesis 3 vs SQS

• 首先kdf 是读取流数据然后放到存储中的(s3, redshift, elasticsearch, splunk)
• kds 提供了实时流处理，并且带有replay能力，保持顺序，是吧数据流入到下游的amazon kinesis app里
• KDF 是fully managed service 会自动扩容，不需要admin操作。 他也支持batch, compress, encrypt 数据在读入前。
• KDA 不能直接读入流数据，但是可以build sql query， 复杂的JAVA APP，对数据做分析。
• 如果一个message 需要被多个消费这重复消费多次，可以选kds.

"DataSync" vs "FileGateway" vs "SnowballEdge" vs "Transfer Family"

• DataSync 是一个online 文件传输服务，可以加速从AWS storage service 或者 direct connect复制大量的数据
• DataSync 天生集成了Amazon S3, Amazon EFS, Amazon FSx for Windows File Server, Amazon CloudWatch, and AWS CloudTrail
• 单个DataSync agent 可以得到10 Gbps network link
• DataSync 会retry 和 网络弹性伸缩机制，网络优化。
• SnowballEdge 是一个offline 文件传输服务， 单个snowball device 支持80TB
• Transfer Family 是单独针对S3上传和下载文件用的
• File Gateway， 是让你自己的站点可以使用S3作为文件存储的gateway

Route53

• 如果想让请求被转到AWS上，那么需要注册一个inbound endpoint, 那么自营的DNS resolver可以把DNS QUERY 转到这个ENDPOINT
• 如果想让请求被转到自营的网络里，那么需要注册一个outbound endpoint, 那么route53 可以吧请求转给on-premise network

cloudwatch recover instance

• terminated instance 无法被recover
• 一个recovered instance 和 原来的instance 在instance id, private ip, elastic ip, metadata 会一样
• 如果原来在placement group, 恢复后还是在原来的replacement group
• 会保留原来的public ip
• 内存中的数据会丢失

"AWS Config" vs "Management console" vs "System manager" vs "Trusted Advisor"

• Trusted Advisor 会给你一些架构部署的建议从5个维度（节约成本，性能，安全，容错，service limit)
• AWS Config 帮助你评估审计AWS资源的配置。比如某个AWS RESOURCE 配置的修改历史
• AWS Management Console 就是我们使用的那个管理各种AWS资源的网站
• System Manager, 可以对资源分组, 然后take action在组上。
• cloud trail, AWS账户的操作历史
• cloud watch, 监控APP的一些指标

Think resource performance monitoring, events, and alerts; think CloudWatch.

Think account-specific activity and audit; think CloudTrail.

Think resource-specific history, audit, and compliance; think Config.

ASG 的监控

• 如果使用lanuch template 或者用console 去创建launch configuration, 则默认使用basic monitoring
• 如果用AWS CLI 或者 SDK 去创建launch configuration， 就会使用detail monitoring

单测错题

• 静态IP暴露出去的LB 是 NLB

• 多个证书动态分发是通过SNI

  • SNI (Server Name Indication) is a feature allowing you to expose multiple SSL certs if the client supports it

• EBS locked by AZ

• multi AZ 用相同的connection string, replica 会提供不同的DNS name

• PostgreSQL 不支持 transparent data encryption

• Oracle 不支持 IAM authentication

• 切换LB不会立刻生效，因为DNS记录有TTL的缓存

  • DNS records have a TTL (Time to Live) in order for clients to know for how long to caches these values and not overload the DNS with DNS requests. TTL should be set to strike a balance between how long the value should be cached vs how much pressure should go on the DNS.

• 如果我自己购买了一个DOMAI，想注册进ROUTE 53. 我首先要创建一个public hosted zone, 然后在3rd party registrar 里更新NS records

• file bigger than 5GB 需要用multi part upload

• Explicit DENY in an IAM policy will take precedence over a bucket policy permission

• IAM roles are the right way to provide credentials and permissions to an EC2 instance

• Pre-Signed URL are temporary and grant time-limited access to some actions in your S3 bucket

• CloudFront Signed URL are commonly used to distribute paid content through dynamic CloudFront Signed URL generation.

• CloundFront have geo restriction

• Global Accelerator will provide us with the two static IP, and the ALB will provide use with the HTTP routing rules

• Snowball Edge is the right answer as it comes with computing capabilities and allows use to pre-process the data while it's being moved in Snowball, so we save time on the pre-processing side as well.

• Amazon API Gateway throttles requests to your API using the token bucket algorithm, where a token counts for a request. Specifically, API Gateway sets a limit on a steady-state rate and a burst of request submissions against all APIs in your account. In the token bucket algorithm, the burst is the maximum bucket size.

• X-Ray 跨aws-account 去收集数据，帮助你DEBUG和分析分布式微服务架构

• VPC Flow log 获得IP Traffic 从你的network interface 在你的VPC里的信息。一般是用来分析网络的轨迹来帮助网络安全。

• Transit VPC 是用来在不同的region不同的DC间建立VPC的连接。相比transit gateway, gateway可以非常好的减少维护VPN连接的复杂度。同时自动化管理SCALE EC2里的需要路由的RESOURC。

• gateway还可以自动高可用通过MULTI-AZ INFRA. 提升带宽在inter-vpc communication里达到50 Gbps per AZ.

• VPC Peering 最好的使用场景是一个VPC和另一个VPC的通讯建立。这个VPC连接的数量小于10。 这样的方案可以提供最便宜的COST相比上2个选择。

• KDS 的优化， To reduce overhead and increase throughput, the application must batch records and implement parallel HTTP requests. This will increase the efficiency overall and ensure you are optimally using the shards.

• Amazon GuardDuty 是一个威胁检测服务，监控可以的活动和未授权的行为来保护AWS account。这个服务会用ML去分析海量数据从比如 AWS CloudTrail events, Amazon VPC Flow Logs, and DNS logs.

• With bucket policies, you can grant users within your AWS Account or other AWS Accounts access to your Amazon S3 resources.

• S3 不支持security group, 支持IAM POLICY 对自己account 下的USER, ACL 只可以用来限制外来的account, bucket policy 2个都可以。

• MYSQL & Postgres 有IAM database Authentication policy, in-flight encryption. Oracle & sql server 有Transparent Data Encryption

• 从s3 standard or IA-> IA or one Zone IA 必须存储30天

• 到了s3 IT, IA, ONE ZONE IA 必须要存30天，才可以去下一个life cycle

• DNS hostnames and DNS resolution are required settings for private hosted zones.

• private hosted zone 接受dns query 只从vpc dns server 。 这个server 的IP地址是保留的. 开启dns resolution可以让你使用该sever 作为resolver来处理dns resoltuion。

• When you create a hosted zone, Amazon Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone for public hosted zone.

• AWS DataSync makes it simple and fast to move large amounts of data online between on-premises storage and AWS Cloud， supports only NFS and SMB file types

• AWS Global Accelerator to distribute a portion of traffic to a particular deployment 可以避免DNS CACHE的问题（如果有ROUTE 53会遇到的问题），同时ELB也可以避免这个问题。但是使用前者可以跨REGION.

• cognito user pool 和 identity pool 的区别在于user pool 是一个user directory,用户可以通过第三方登陆机构。identity pool 是获得一个临时的证书去使用AWS SERVIC，可以支持匿名的用户

• cognito user pool 作用于alb 或者API GATEWA，不能作用在cloudfront

• 级联调用的时候，如果下层SERVICE出错，最佳做法是降级一个static response 返回给上层，保证服务可用

• S3 OBJECT属于写他的人，和这个BUCKET的主人无关

• event-based services with third-party SaaS services 使用 EventBridge

• AWS Cost Explorer 帮助定位低利用率的ec2

• AWS Compute Optimizer recommends optimal AWS Compute resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics

• Compute Optimizer to look at instance type recommendations

• Amazon S3 Analytics Storage Class analysis you can analyze storage access patterns to help you decide when to transition the right data to the right storage class.

• Use Centralized VPC Endpoints for connecting with multiple VPCs， 可以节约cost

• By default, all DynamoDB tables are encrypted under an AWS owned customer master key (CMK), which do not write to CloudTrail logs. 但是我们可以配置成customer管理的CMK, 或者AWS manage的cmk

• 如果IAM ROLE 为LAMBDA创建的是在同一个ACCOUNT下，不需要grant s3 perrmision 给 IAM 和 bucket policy。如果在不同的ACCOUNT下，就需要。

• Bucket owner account can delegate permissions to users in its own account, but it cannot delegate permissions to other AWS accounts

• Amazon EC2 Auto Scaling doesn't terminate an instance that came into service based on EC2 status checks and ELB health checks until the health check grace period expires

• By default, Amazon EC2 Auto Scaling doesn't use the results of ELB health checks to determine an instance's health status when the group's health check configuration is set to EC2.

• Amazon EC2 Auto Scaling does not immediately terminate instances with an Impaired status. Instead, Amazon EC2 Auto Scaling waits a few minutes for the instance to recover.

• With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account

• AWS WAF can be directly configured on ALB, API GATEWAY, Cloudfront

• AWS DMS enables you to seamlessly migrate data from supported sources to relational databases, data warehouses, streaming platforms, and other data stores in AWS cloud.

• S3 cannot directly write data into SNS, although it can certainly use S3 event notifications to send an event to SNS

• SNS cannot directly send messages to Kinesis Data Streams.

• Amazon EBS volumes are scoped to an individual AZ

• 有2种方式去控制access对SNS或SQS. 对大多数情况，应该给IAM添加一个POLICY, 然后通过添加USER 进GROUP来管理。如果要跨ACCOUNT 则需要对QUEUE添加POLICY然后给需要的ACCOUNT一个principle

  
  policy_for_reference.png

• 跨地域加速读，如果静态内容小于1GB, CloudFront更好，大于的话S3 Transfer Acceleration

• SES 可以直接发给LAMBDA 但是email body会被砍掉。一般会先发给SNS, 再用lambda处理之后转给kinesis

• Internet Gateway connectivity 2个必要条件，ACL要allow 进出traffic, routebale 需要有一个route指到internet gateway

• Use Access Advisor to determine the permissions the developers have used in the last few months and only give those permissions (with new IAM roles) while reverting the rest

• If you intend to reuse code in more than one Lambda function, you should consider creating a Lambda Layer for the reusable code

• AWS Global Accelerator 作用：

  1. 静态IP加到regional aws resource， 提供onboarding 给aws global network close to users
  2. 很容易去移动endpoint在AZ或region间，不需要更新DNS配置
  3. 通过为端点组配置流量拨号百分比，向上或向下拨出特定AWS区域的流量。
  4. 控制流量的比例by assigning weights across the endpoints

• With Global Accelerator, you are provided two global static customer-facing IPs to simplify traffic management.