• You can use subscription filters to stream logs from CloudWatch to other services.
  • Look at CloudFormation helper scripts and Resource Attributes again.
  • Deletion Policy: you can apply Snapshot to EC2 Volume, ElastiCache CacheCluster or ReplicationGroup, Neptune DBCluster, RDS DBCluster or DBInstance or Redshift Cluster
  • S3 is not ideal for handling real time data transformation.
  • When you create a public and private subnet through a VPC wizard, it will create a NAT Gateway with an elastic IP address.
  • If the application is using TCP, configure proxy protocol to pass the client IP address in a new TCP header. If the application is using HTTP, modify the application code to pull the client IP into the x-forward-for-header so the web servers can parse it.
  • If you want to store a certificate external to the instance, you may use AWS ACM and apply an IAM policy to the specific security authorities so that they can only access. Avoid giving instances the access to HSM or ACM. It’s better to let ELB managed the SSL certificates.
  • S3 is not integrated with CloudHSM.
  • You need to create an alias record in Route53 to point to the ELB.
  • ElastiCache can be used to store session state in cache rather than in any database. Allows you to quickly retrieve session state info. Better then ELB sticky sessions.
  • EC2 instance types have limit on max throughput. In order to achieve 24000 IOPS for 6 instances, you would need 8xlarge.
  • AWS Batch uses a job queue rather than a SQS queue where you submit AWS Batch job to.
  • Route53 will evaluate the latency record set first and then the weighted record set.
  • You can only add new EC2 instances with new AMIs at the layer level in AWS OpsWorks.
  • Within Consolidated Billing feature, only the master account will be able to see the Cost and Usage Reports for all the accounts.
  • Use the standby feature instead of the suspend-resume feature if you need to troubleshoot or reboot an instance.
  • If you would like to authenticate HTTPS client requests on the web server itself, you can configure ELB with TCP listeners on TCP/443 port and place the web servers behind it. Or you can directly communicate with the web servers being behind a Route 53 Record Set with Elastic IPs.
  • In order for mobile app users to make use of Google login via Amazon Cognito, you need to set up the identity pool for the permissions, not the user pool.
  • When you want to migrate an unsupported Database within Database Migration Service, first upload the CSV files to S3, then create S3 source endpoint and DynamoDB target endpoint in AWS DMS console. When the S3 source endpoint is configured, add the table mapping rule with a JSON table structure. Create a Replication Task to move the data from source to target endpoints.
  • AWS License Manager is a central place to managa licenses in EC2 and on-premises instances. It contains 3 parts;
    • Define licensing rules
    • Enforce licensing rules
    • Track usage
  • Storage Gateway - Gateway Cached Volumes support volumes of 1024TB in size, whereas Gateway Stored Volumes support volumes of 512TB in size.
  • Originally ALBs used to support only one certificate for a standard HTTPS listener (port 443) and you had to use a Wildcard or Multi-Domain (SAN) certificates to host multiple secure applications behind one ALB. The potential security risks with wildcards certificates and the operational overhead of managing multi-domain certificates presented challenges. With Server Name Indicator (SNI) support, you can use multiple certificates with a listener and each secure application behind a load balancer can use its own certificate. You can use host conditions to define rules that forward requests to different target groups based on the host name in the host header.
  • If you would like to access AWS resources directly from the client site (mobile or a web app), use Cognito Identity Pools. Otherwise, use Cognito User Pools. User Pools return JSON web token so that you can use it as an authoriser for any existing API whereas Identity Pools you get temporary AWS credentials.
  • With User Pools;
    • You get whole user management system, let users sign up with email and password or via IDP
    • You can include additional features such as MFA etc.
    • If you’d like to secure an API not exposed by API Gateway, then make use of User Pools
    • When you’d like to give access to your users’ data to another application.
  • With Identity Pools;
    • It fully relies on trusted third-party identity providers for authentication. E.g. you could query DynamoDB tables directly from the client or publishing an SNS notification
  • You cannot convert an existing standard SQS queue to a FIFO queue.
  • HTTP error codes are defined firstly in Method Response part of the API Gateway which is the front end. Mapping of error codes from the backend needs to be configured within the Integration Response part of the API Gateway facing the backend.
  • SQS Deduplication ID: It’s a method for preventing message to be processed duplicately.
  • You can take point in time snapshots of Storage Gateway Volumes in the form of EBS snapshots and can mount them to EC2 instances.
  • Direct Connect Gateway is a service that helps connecting Direct Connect connection over a private virtual interface to one or more VPCs in the same account that are located in the same or different regions.
  • ALB terminates SSL traffic. When the requirement is to get a secure traffic up to the EC2 instances, you need to use Network Load Balancer.
  • In NLB; you can configure a target group so that you register targets by instance ID or IP addresses. If you specify targets using an instance ID, the source IP addresses of the clients are preserved and provided to your applications. If you specify targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes.
  • When messages in a SQS queue can’t be consumed successfully, the message can be put into a dead-letter queue, which is ideal to isolate the problematic message.

Monitoring, Logging & Cost Management

CloudWatch Logs

  • Use subscription filters to aggregate logs across different loggroups to Kinesis Data Stream.
  • Default to CloudWatch Logs for both On-premises and AWS.
  • Export logs to S3 - CreateExportTask and can take 12 hours.
  • For near real time or persis logs - use Kinesis Firehose.
  • For realtime, use Lambda or Kinesis Data Stream using KCL streams.
  • Deliver to Elasticsearch using AWS Managed Lambda.
  • Metric Filter: take incoming data to filter and scan log data and generate a CloudWatch Metric on top of this.

AWS Trusted Advisor

  • There are free 7 core checks (basic or developer support provided)
  • S3 Bucket permissions - not objects
  • Securty Groups - specific ports unrestricted
  • IAM use and MFA on Root account
  • EBS public snapshots
  • RDS public snapshots
  • 50 service limit checks
  • For Business and Enterprise Support; you can have 115 further checks (14 cost, 17 security, 24 fault tolerant, 10 performance and 50 service limit related checks). You can also access via the AWS Support API: you can get the names and identifiers that Trusted Advisor offers.
  • You can also integrate with CloudWatch Events.