certified solutions architect official · niamh o'byrne, aws certification manager, who...
TRANSCRIPT
CertifiedSolutionsArchitectOfficial
StudyGuide-AssociateExam
JoeBaron,HishamBaz,TimBixler,BiffGaut,KevinE.Kelly,SeanSenior,JohnStamper
SeniorAcquisitionsEditor:KenyonBrownProjectEditor:GarySchwartzProductionEditor:DassiZeidelCopyEditor:KeziaEndsleyEditorialManager:MaryBethWakefieldProductionManager:KathleenWisorExecutiveEditor:JimMinatelBookDesigners:JudyFungandBillGibsonProofreader:NancyCarrascoIndexer:JohnnavanHooseDinseProjectCoordinator,Cover:BrentSavageCoverDesigner:WileyCoverImage:©GettyImages,Inc./JeremyWoodhouse
Copyright©2017byAWS
PublishedbyJohnWiley&Sons,Inc.Indianapolis,Indiana
PublishedsimultaneouslyinCanada
ISBN:978-1-119-13855-6
ISBN:978-1-119-13955-3(ebk.)
ISBN:978-1-119-13954-6(ebk.)
ManufacturedintheUnitedStatesofAmerica
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.
Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressControlNumber:2016949703
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.AWSisaregisteredtrademarkofAmazonTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.
FortheoriginalAWSinstructor,MikeCulver,whotaughtushowtoteach,lead,andinspirewithtenacityandkindness.
CONTENTSAcknowledgments
AbouttheAuthors
Foreword
Introduction
AssessmentTest
AnswerstoAssessmentTest
Chapter1IntroductiontoAWS
WhatIsCloudComputing?
AWSFundamentals
AWSCloudComputingPlatform
Summary
ExamEssentials
ReviewQuestions
Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage
Introduction
ObjectStorageversusTraditionalBlockandFileStorage
AmazonSimpleStorageService(AmazonS3)Basics
Buckets
AmazonS3AdvancedFeatures
AmazonGlacier
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)
Introduction
AmazonElasticComputeCloud(AmazonEC2)
AmazonElasticBlockStore(AmazonEBS)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter4AmazonVirtualPrivateCloud(AmazonVPC)
Introduction
AmazonVirtualPrivateCloud(AmazonVPC)
Subnets
RouteTables
InternetGateways
DynamicHostConfigurationProtocol(DHCP)OptionSets
ElasticIPAddresses(EIPs)
ElasticNetworkInterfaces(ENIs)
Endpoints
Peering
SecurityGroups
NetworkAccessControlLists(ACLs)
NetworkAddressTranslation(NAT)InstancesandNATGateways
VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling
Introduction
ElasticLoadBalancing
AmazonCloudWatch
AutoScaling
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter6AWSIdentityandAccessManagement(IAM)
Principals
Authentication
Authorization
OtherKeyFeatures
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter7DatabasesandAWS
DatabasePrimer
AmazonRelationalDatabaseService(AmazonRDS)
AmazonRedshift
AmazonDynamoDB
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter8SQS,SWF,andSNS
AmazonSimpleQueueService(AmazonSQS)
AmazonSimpleWorkflowService(AmazonSWF)
AmazonSimpleNotificationService(AmazonSNS)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter9DomainNameSystem(DNS)andAmazonRoute53
DomainNameSystem(DNS)
AmazonRoute53Overview
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter10AmazonElastiCache
Introduction
In-MemoryCaching
AmazonElastiCache
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter11AdditionalKeyServices
Introduction
StorageandContentDelivery
Security
Analytics
DevOps
Summary
ExamEssentials
ReviewQuestions
Chapter12SecurityonAWS
Introduction
SharedResponsibilityModel
AWSComplianceProgram
AWSGlobalInfrastructureSecurity
AWSAccountSecurityFeatures
AWSCloudService-SpecificSecurity
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter13AWSRiskandCompliance
Introduction
OverviewofComplianceinAWS
EvaluatingandIntegratingAWSControls
AWSRiskandComplianceProgram
AWSReports,Certifications,andThird-PartyAttestations
Summary
ExamEssentials
ReviewQuestions
Chapter14ArchitectureBestPractices
Introduction
DesignforFailureandNothingFails
ImplementElasticity
LeverageDifferentStorageOptions
BuildSecurityinEveryLayer
ThinkParallel
LooseCouplingSetsYouFree
Don’tFearConstraints
Summary
ExamEssentials
Exercises
ReviewQuestions
AppendixAAnswerstoReviewQuestions
Chapter1:IntroductiontoAWS
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling
Chapter6:AWSIdentityandAccessManagement(IAM)
Chapter7:DatabasesandAWS
Chapter8:SQS,SWF,andSNS
Chapter9:DomainNameSystem(DNS)andAmazonRoute53
Chapter10:AmazonElastiCache
Chapter11:AdditionalKeyServices
Chapter12:SecurityonAWS
Chapter13:AWSRiskandCompliance
Chapter14:ArchitectureBestPractices
Advert
EULA
ListofTablesChapter3
TABLE3.1
TABLE3.2
TABLE3.3
TABLE3.4
TABLE3.5
TABLE3.6
Chapter4
TABLE4.1
TABLE4.2
TABLE4.3
TABLE4.4
TABLE4.5
Chapter6
TABLE6.1
TABLE6.2
TABLE6.3
Chapter7
TABLE7.1
TABLE7.2
TABLE7.3
TABLE7.4
TABLE7.5
Chapter12
TABLE12.1
Chapter14
TABLE14.1
ListofIllustrationsChapter1
FIGURE1.1Sixadvantagesofcloudcomputing
FIGURE1.2AWSCloudcomputingplatform
FIGURE1.3Autoscalingcapacity
FIGURE1.4AWSCloudFormationworkflowsummary
Chapter3
FIGURE3.1MemoryandvCPUsforthem4instancefamily
FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances
Chapter4
FIGURE4.1VPC,subnets,andaroutetable
FIGURE4.2VPC,subnet,routetable,andanInternetgateway
FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting
FIGURE4.4VPCwithVPNconnectiontoacustomernetwork
Chapter5
FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer
FIGURE5.2AutoScalinggroupwithpolicy
FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout
Chapter6
FIGURE6.1DifferentidentitiesauthenticatingwithAWS
FIGURE6.2AssociatingIAMuserswithpolicies
Chapter7
FIGURE7.1Multi-AZAmazonRDSarchitecture
FIGURE7.2AmazonRedshiftclusterarchitecture
FIGURE7.3Table,items,attributesrelationship
FIGURE7.4Tablepartitioning
Chapter8
FIGURE8.1Messagelifecycle
FIGURE8.2Diagramofvisibilitytimeout
FIGURE8.3AmazonSWFworkflowillustration
FIGURE8.4Diagramoftopicdelivery
FIGURE8.5Diagramoffanoutscenario
Chapter9
FIGURE9.1FQDNcomponents
Chapter10
FIGURE10.1Commoncachingarchitecture
FIGURE10.2Redisreplicationgroup
Chapter11
FIGURE11.1Deliveringstaticanddynamiccontent
FIGURE11.2HighavailabilityCloudHSMarchitecture
FIGURE11.3AmazonKinesisFirehose
FIGURE11.4AmazonKinesisStreams
FIGURE11.5Examplepipeline
FIGURE11.6Simpleapplicationserverstack
FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks
FIGURE11.8Creatingastackworkflow
FIGURE11.9Updatingastackworkflow
FIGURE11.10AWSTrustedAdvisorConsoledashboard
Chapter12
FIGURE12.1Thesharedresponsibilitymodel
FIGURE12.2AmazonWebServicesregions
FIGURE12.3AmazonEC2multiplelayersofsecurity
FIGURE12.4AmazonEC2securitygroupfirewall
FIGURE12.5AmazonVPCnetworkarchitecture
FIGURE12.6Flexiblenetworkarchitectures
Chapter13
FIGURE13.1Sharedresponsibilitymodel
Chapter14
FIGURE14.1Simplewebapplicationarchitecture
FIGURE14.2Updatedwebapplicationarchitecturewithredundancy
FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling
FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront
FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB
FIGURE14.6Tightandloosecoupling
FIGURE14.7Samplewebapplicationforchapterexercises
AcknowledgmentsTheauthorswouldliketothankafewpeoplewhohelpedusdevelopandwritethisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExam.
First,thankstoallourfamilieswhoputupwithusspendingweekendsandeveningscreatingcontent,writingquestions,andreviewingeachother'schapters.Theirpatienceandsupportmadethisbookpossible.
NiamhO'Byrne,AWSCertificationManager,whointroducedalloftheauthorsandmanymoresolutionsarchitectsatAWStocertificationtestingandgotthisbookstartedbychallengingsomeofustoextendourreachandhelpmorecloudpractitionersgetcertified.
NathanBowerandVictoriaSteidel,amazingtechnicalwritersatAWSwhoreviewedandeditedallthecontentandeveryquestionandgentlymadeusbetterwritersandcommunicators.Theyweretirelessinreviewingandhelpingushoneandfocusourcontent.
PatrickShumate,afellowAWSsolutionsarchitectwhocontributedtestquestionsrightwhenweneededthehelptogetusoverthefinishline.
WecouldnothavewrittenthisbookwithoutthehelpofourfriendsatWiley.KenyonBrown,SeniorAcquisitionsEditor,corralledusandfocusedusontheendgoal.Additionally,wewereguidedbyGarySchwartz,ProjectEditor;KeziaEndsley,Copyeditor;andDassiZeidel,ProductionEditorwhotookoutputfromdifferentauthorsandturneditintoacohesiveandcompletefinishedproduct.
Lastly,wewanttothankallthesolutionsarchitectsatAWSwhoparticipatedincertificationblueprintdevelopment,questionwriting,andreviewsessions,andthedevelopmentofaworld-classcertificationprogramforcloudpractitionersthatissettingthestandardforourindustry.
AbouttheAuthors
JoeBaron,PrincipalSolutionsArchitectforAWS,iscurrentlyworkingwithcustomersintheSoutheasternUnitedStates.JoejoinedAWSin2009asoneofthefirstsolutionsarchitects,andintheyearssincehehashelpedcustomersofallsizes,fromsmallstartupstosomeofthelargestenterprisesintheworld,toarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.HewasalsoanearlycontributortotheAWSAssociateandProfessionalCertifiedSolutionsArchitectprograms.JoeholdsaBSdegreeinengineeringphysicsfromCornellUniversityandisproudtobean“expertgeneralist.”PriortojoiningAWS,Joehad25yearsofexperienceintechnology,withrolesindatacenterautomation,virtualization,lifesciences,high-performancecomputing,3Dvisualization,hardwareandsoftwaredevelopment,andIndependentSoftwareVendor(ISV)programmanagement.HeisalsoadedicatedhusbandtoCarolandfatheroftwochildren,MattandJessie.Whennothelpingcustomersmigrateallthethingstothecloud,Joeisanamateurclassicalpianistandcollectoroftraditionalwoodworkingtools.HelivesintheRaleigh,NCarea.
HishamBazisapassionatesoftwareengineerandsystemsarchitectwithexpertisebuildingdistributedapplicationsandhigh-performance,mission-criticalsystems.Since2013,HishamhasbeenasolutionsarchitectwithAWSworkingwithcustomerslikePinterest,Airbnb,andGeneralElectrictobuildresilientarchitecturesinthecloudwithafocusonbigdataandanalytics.PriortoAmazon,Hishamfoundedtwoearly-stagestartups,modernizedthecommunicationsnetworkconnectingcriticaltransportationinfrastructure,andimprovedcellularnetworkswithlarge-scaledataanalytics.HishamisbasedinSanFrancisco,CAandliveswithhiswife,Suki.Theycanoftenbefoundhikingtheredwoods.
TimBixler,CommercialAmericasSoutheastAreaSolutionsArchitectureLeaderforAWS,leadsteamsofsolutionsarchitectswhoprovideAWStechnicalenablement,evangelism,andknowledgetransfertocustomerslikeCapitalOne,TheCoca-ColaCompany,AOL,KochIndustries,CoxAutomotive,NASCAR,Emdeon,andNeustar.Timhasover20yearsofexperienceinimprovingsystemsandoperationalperformance,productivity,andcustomersatisfactionforprivateandpublicglobalcorporationsaswellasgovernmentagencies.HeisalsoapublicspeakerforAmazonandenjoyshelpingcustomersadoptinnovativesolutionsonAWS.Butifyouaskhis7-year-oldsonTJwhathedoes,hemightsaythatdaddyisabuilderandafixer.Whennototherwisetasked,youcanfindhimburrowedinhislabbuildingrobotsdrivenbymicrocontrollersoratthelocalBrickFairadmiringthecreationsthathehasnotimetobuild.
BiffGautstartedwritingprogramsforalivingonCP/MontheOsborne1.Sincethoseearlydays,heobtainedaBSinengineeringfromVirginiaTechwhilewritingCcodeonMS-DOS,marriedhiswife,Holly,whilewritinghisfirstGUIapps,andraisedtwochildrenwhiletransitioningfromCOMobjectsinC++towebappsin.NET.Alongtheway,heleddevelopmentteamsfrom1to50membersforcompaniesincludingNASDAQ,ThomsonReuters,Verizon,Microsoft,FINRA,andMarriott.Hehascollaboratedontwobooksandspokenatcountlessconferences,includingWindowsWorldandtheMicrosoftPDC.BiffiscurrentlyasolutionsarchitectatAWS,helpingcustomersacrossthecountryrealizethebenefitsofthecloudbydeployingsecure,available,efficientworkloadsonAWS.Andyes,that’shisrealname.
KevinE.Kelly,SolutionsArchitectureManagerandearlycontributortotheAWSSolutionsArchitectureCertificationexams,hasbeenatAWSforoversevenyearshelpingcompaniesarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.KevinhasaBSincomputersciencefromMercerUniversityandaMasterofInformationSystemsinbusinessfromtheUniversityofMontana.BeforejoiningAmazon,KevinwasanAirForceofficer,aprogrammer—includingembeddedprogramming—andatechnicalpresalesleader.KevinhasbeenthechairmanoftheWorldwideWebConsortium(W3C)CompoundDocumentFormatWorkingGroupandledthatopen-standardsworkinggroupindevelopingtheWebInteractiveCompoundDocument(WICD)profileformobileanddesktopdevices.HehasalsoservedastheW3CAdvisoryCouncilRepresentativeforHealthLevel7(HL7).KevinlivesinVirginiawithhiswife,Laurie,andtheirtwodaughters,CarolineandAmelia.Kevinisanamateurviolinandmandolinplayerandazymurgist.
SeanSeniorisasolutionsarchitectatAWS.Seanisabuilderatheartandthrivesinafast-pacedenvironmentwithcontinuouschallenges.SeanhasaBSincomputerinformationandsciencesfromtheUniversityofMarylandUniversityCollege.Seanisadevotedhusbandandfatherofabeautifulgirl.HeisaU.S.Navyveteran,avidsportsfan,andgymrat.Heloathestalkingabouthimselfinthethirdperson,butcanbepersuadedtodosoforagoodreason.
JohnStamper,PrincipalSolutionsArchitectatAWS,isaco-inventorformultipleAWSpatentsandisparticularlyfondofdistributedsystemsatscale.JohnholdsaBSinmathematicsfromJamesMadisonUniversity(94)andanMSinInformationSystemsfromGeorgeMasonUniversity(04).Inadditiontobuildingsystemsonthecloudandhelpingcustomersreimaginetheirbusinesses,Johnisadedicatedhusbandandfatherofthreechildren.HeisaCrossFitathlete,youthsportscoach,andvocalsupporterofthearts.
ForewordThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamhasbeenwrittentohelpyoupreparefortheAWSCertifiedSolutionsArchitect–Associateexam.Thiscertificationisbecominganincreasinglyimportantcredentialthateveryinformationtechnologyprofessionalandcloudpractitionerwhoplans,designs,andbuildsapplicationarchitecturesfordeploymentonAWSshouldobtain.PassingtheAWSCertifiedSolutionsArchitect–Associateexamdemonstratestoyourcolleagues,employers,andtheindustryatlargethatyouknowhowtobuildanddeployAWSsolutionsthatarehighlyavailable,secure,performant,andcosteffective.
ThisstudyguidewaswrittenbyAWSsolutionsarchitectswhowroteandreviewedexamquestionsfortheAWSCertifiedSolutionsArchitectexams.Althoughnothingreplaceshands-onexperiencebuildinganddeployingavarietyofcloudapplicationsandcontrolsonAWS,thisstudyguide,andthequestionsandexercisesineachchapter,provideyouwithcoverageofthebasicAWSCloudservicescombinedwitharchitecturalrecommendationsandbestpracticesthatwillhelpprepareyoufortheexam.Combiningthisstudyguidewithproductionapplicationdeploymentexperienceandtakingthepracticeexamsonlinewillprepareyouwellandallowyoutotaketheexamwithconfidence.AddingtheAWSCertifiedSolutionsArchitect—Associatecertificationtoyourcredentialswillestablishyouasanindustry-recognizedsolutionsarchitectfortheAWSplatform!
—KevinE.KellyAmericasSolutionsArchitectureLead
AWSCertifiedSolutionsArchitect–AssociateAWSCertifiedSolutionsArchitect–Professional
Herndon,VA
IntroductionStudyingforanycertificationexamcanseemdaunting.ThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamwasdesignedanddevelopedwithrelevanttopics,questions,andexercisestoenableacloudpractitionertofocustheirpreciousstudytimeandeffortonthegermanesetoftopicstargetedattherightlevelofabstractionsotheycanconfidentlytaketheAWSCertifiedSolutionsArchitect–Associateexam.
Thisstudyguidepresentsasetoftopicsneededtoroundoutacloudpractitioner’shands-onexperienceswithAWSbycoveringthebasicAWSCloudservicesandconceptswithinthescopeoftheAWSCertifiedSolutionsArchitect–Associateexam.ThisstudyguidebeginswithanintroductiontoAWS,whichisthenfollowedbychaptersonspecificAWSCloudservices.Inadditiontotheserviceschapters,thetopicsofsecurity,riskandcompliance,andarchitecturebestpracticesarecovered,providingthereaderwithasolidbaseforunderstandinghowtobuildanddeployapplicationsontheAWSplatform.Furthermore,theAWSarchitecturalbestpracticesandprinciplesarereinforcedineverychapterandreflectedintheself-studyquestionsandexamplestohighlightthedevelopmentanddeploymentofapplicationsforAWSthataresecure,highlyavailable,performant,andcosteffective.Eachchapterincludesspecificinformationontheserviceortopiccovered,followedbyanExamEssentialssectionthatcontainskeyinformationneededinyourexampreparation.TheExamEssentialssectionisfollowedbyanExercisesectionwithexercisesdesignedtohelpreinforcethetopicofthechapterwithhands-onlearning.Next,eachchaptercontainssamplequestionstogetyouaccustomedtoansweringquestionsaboutAWSCloudservicesandarchitecturetopics.Thebookalsocontainsaself-assessmentexamwith25questions,twopracticeexams,with50questionseachtohelpyougaugeyourreadinesstotaketheexam,andflashcardstohelpyoulearnandretainkeyfactsneededtopreparefortheexam.
Ifyouarelookingforatargetedbookwrittenbysolutionsarchitectswhowrote,reviewed,anddevelopedtheAWSCertifiedSolutionsArchitect–Associateexam,thenthisisthebookforyou.
WhatDoesThisBookCover?ThisbookcoverstopicsyouneedtoknowtopreparefortheAmazonWebServices(AWS)CertifiedSolutionsArchitect–Associateexam:
Chapter1:IntroductiontoAWSThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageThischapterprovidesyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.TheseservicesareusedtostoreobjectsonAWS.
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)Inthischapter,youwilllearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)ThischapterdescribesAmazonVirtualPrivateCloud(AmazonVPC),whichisacustom-definedvirtualnetworkwithinAWS.YouwilllearnhowtodesignsecurearchitecturesusingAmazonVPCtoprovisionyourownlogicallyisolatedsectionofAWS.
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.
Chapter6:AWSIdentityandAccessManagement(IAM)ThischaptercoversAWSIdentityandAccessManagement(IAM),whichisusedtosecuretransactionswiththeAWSresourcesinyourAWSaccount.
Chapter7:DatabasesandAWSThischaptercoversessentialdatabaseconceptsandintroducesthreeofAWSmanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.
Chapter8:SQS,SWF,andSNSThischapterfocusesonapplicationservicesinAWS,specificallyAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(SWF),andAmazonSimpleNotificationService(AmazonSNS).ItalsocoversarchitecturalguidanceonusingtheseservicesandtheuseofAmazonSNSinmobileapplications.
Chapter9:DomainNameSystem(DNS)andAmazonRoute53Inthischapter,youwilllearnaboutDomainNameSystem(DNS)andtheAmazonRoute53service,whichisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.
Chapter10:AmazonElastiCacheThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.
Chapter11:AdditionalKeyServicesAdditionalservicesnotcoveredinotherchaptersare
coveredinthischapter.TopicsincludeAmazonCloudFront,AWSStorageGateway,AWSDirectoryService,AWSKeyManagementService(KMS),AWSCloudHSM,AWSCloudTrail,AmazonKinesis,AmazonElasticMapReduce(AmazonEMR),AWSDataPipeline,AWSImport/Export,AWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,AWSTrustedAdvisor,andAWSConfig.
Chapter12:SecurityonAWSThischaptercoverstherelevantsecuritytopicsthatarewithinscopefortheAWSCertifiedSolutionsArchitect–Associateexam.
Chapter13:AWSRiskandComplianceThischaptercoverstopicsassociatedwithriskandcompliance,riskmitigation,andthesharedresponsibilitymodelofusingAWS.
Chapter14:ArchitectureBestPracticesThefinalchaptercoverstheAWS-recommendeddesignprinciplesandbestpracticesforarchitectingsystemsandapplicationsfortheCloud.
InteractiveOnlineLearningEnvironmentandTestBankTheauthorshaveworkedhardtoprovidesomereallygreattoolstohelpyouwithyourcertificationprocess.TheinteractiveonlinelearningenvironmentthataccompaniestheAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamprovidesatestbankwithstudytoolstohelpyouprepareforthecertificationexam—andincreaseyourchancesofpassingitthefirsttime!Thetestbankincludesthefollowing:
SampleTestsAllthequestionsinthisbookareprovided,includingtheassessmenttestattheendofthisIntroductionandthechapterteststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwopracticeexamswith50questionseach.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.
FlashcardsTheonlinetextbanksinclude100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst.They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes.Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.
GlossaryAglossaryofkeytermsfromthisbookisavailableasafullysearchablePDF.
Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothisinteractiveonlinelearningenvironmentandtestbankwithstudytools.
ExamObjectivesTheAWSCertifiedSolutionsArchitect—AssociateexamisintendedforpeoplewhohaveexperienceindesigningdistributedapplicationsandsystemsontheAWSplatform.Herearesomeofthekeyexamtopicsthatyoushouldunderstandforthisexam:
Designinganddeployingscalable,highlyavailable,andfault-tolerantsystemsonAWS
Migratingexistingon-premisesapplicationstoAWS
IngressandegressofdatatoandfromAWS
SelectingtheappropriateAWSservicebasedondata,compute,database,orsecurityrequirements
IdentifyingappropriateuseofAWSarchitecturalbestpractices
EstimatingAWScostsandidentifyingcostcontrolmechanisms
Ingeneral,candidatesshouldhavethefollowing:
Oneormoreyearsofhands-onexperiencedesigninghighlyavailable,costefficient,secure,faulttolerant,andscalabledistributedsystemsonAWS
In-depthknowledgeofatleastonehigh-levelprogramminglanguage
AbilitytoidentifyanddefinerequirementsforanAWS-basedapplication
Experiencewithdeployinghybridsystemswithon-premisesandAWScomponents
CapabilitytoprovidebestpracticesforbuildingsecureandreliableapplicationsontheAWSplatform
Theexamcoversfourdifferentdomains,witheachdomainbrokendownintoobjectivesandsubobjectives.
ObjectiveMapThefollowingtablelistseachdomainanditsweightingintheexam,alongwiththechaptersinthebookwherethatdomain’sobjectivesandsubobjectivesarecovered.
Domain PercentageofExam
Chapter
1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
60%
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
1,2,3,4,5,7,8,9,10,11,14
Contentmayincludethefollowing:
Howtodesigncloudservices 1,2,3,4,8,9,11,14
Planninganddesign 1,2,3,4,7,8,9,10,11,14
Monitoringandlogging 2,3,8,9,11
Familiaritywith:
BestpracticesforAWSarchitecture 1,2,4,7,8,9,10,14
Developingtoclientspecifications,includingpricing/cost(e.g.,onDemandvs.Reservedvs.Spot;RTOandRPODRDesign)
2,7,9
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService(RDS)vs.installingyourowndatabaseonAmazonElasticComputeCloud(EC2))
2,4,7,8,9,10
HybridITarchitectures(e.g.,DirectConnect,StorageGateway,VPC,DirectoryServices)
1,2,4,14
Elasticityandscalability(e.g.,AutoScaling,SQS,ELB,CloudFront) 1,2,5,7,8,9,10,14
2Domain2.0:Implementation/Deployment 10%
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
1,2,3,4,5,6,8,11,13
Contentmayincludethefollowing:
ConfigureanAmazonMachineImage(AMI). 2,3,11
OperateandextendservicemanagementinahybridITarchitecture. 1,4
Configureservicestosupportcompliancerequirementsinthecloud. 2,3,4,11,13
LaunchinstancesacrosstheAWSglobalinfrastructure. 1,2,3,5,8,11
ConfigureIAMpoliciesandbestpractices. 2,6
3Domain3.0:DataSecurity 20%
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
2,4,10,12,13
Contentmayincludethefollowing:
AWSsharedresponsibilitymodel 12,13
AWSplatformcompliance 11,12,13
AWSsecurityattributes(customerworkloadsdowntophysicallayer) 4,11,12,
13
AWSadministrationandsecurityservices 7,10,11,12
AWSIdentityandAccessManagement(IAM) 6,12
AmazonVirtualPrivateCloud(VPC) 4,12
AWSCloudTrail 11,12
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit 11,12
“Core”AmazonEC2andS3securityfeaturesets 2,4,12
Incorporatingcommonconventionalsecurityproducts(Firewall,VPN)
4,12
Designpatterns 7,13
DDoSmitigation 12
Encryptionsolutions(e.g.,keyservices) 2,11,12
Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,etc.)
2,12
AmazonCloudWatchforthesecurityarchitect 5
TrustedAdvisor 11
CloudWatchLogs 5
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
3,7,9,10
Contentmayincludethefollowing:
Disasterrecovery 3
Recoverytimeobjective 7
Recoverypointobjective 7
AmazonElasticBlockStore 3
AWSImport/Export 11
AWSStorageGateway 11
AmazonRoute53 9
Validationofdatarecoverymethod 3
4Domain4.0:Troubleshooting 10%
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions 5,8
AssessmentTest1. UnderasingleAWSaccount,youhavesetupanAutoScalinggroupwithamaximumcapacityof50AmazonElasticComputeCloud(AmazonEC2)instancesinus-west-2.Whenyouscaleout,however,itonlyincreasesto20AmazonEC2instances.Whatisthelikelycause?
A. AutoScalinghasahardlimitof20AmazonEC2instances.
B. Ifnotspecified,theAutoScalinggroupmaximumcapacitydefaultsto20AmazonEC2instances.
C. TheAutoScalinggroupdesiredcapacityissetto20,soAutoScalingstoppedat20AmazonEC2instances.
D. YouhaveexceededthedefaultAmazonEC2instancelimitof20perregion.
2. ElasticLoadBalancingallowsyoutodistributetrafficacrosswhichofthefollowing?
A. OnlywithinasingleAvailabilityZone
B. MultipleAvailabilityZoneswithinaregion
C. MultipleAvailabilityZoneswithinandbetweenregions
D. MultipleAvailabilityZoneswithinandbetweenregionsandon-premisesvirtualizedinstancesrunningOpenStack
3. AmazonCloudWatchofferswhichtypesofmonitoringplans?(Choose2answers)
A. Basic
B. Detailed
C. Diagnostic
D. Precognitive
E. Retroactive
4. AnAmazonElasticComputeCloud(AmazonEC2)instanceinanAmazonVirtualPrivateCloud(AmazonVPC)subnetcansendandreceivetrafficfromtheInternetwhenwhichofthefollowingconditionsaremet?(Choose3answers)
A. NetworkAccessControlLists(ACLs)andsecuritygrouprulesdisallowalltrafficexceptrelevantInternettraffic.
B. NetworkACLsandsecuritygrouprulesallowrelevantInternettraffic.
C. AttachanInternetGateway(IGW)totheAmazonVPCandcreateasubnetroutetabletosendallnon-localtraffictothatIGW.
D. AttachaVirtualPrivateGateway(VPG)totheAmazonVPCandcreatesubnetroutestosendallnon-localtraffictothatVPG.
E. TheAmazonEC2instancehasapublicIPaddressorElasticIP(EIP)address.
F. TheAmazonEC2instancedoesnotneedapublicIPorElasticIPwhenusing
AmazonVPC.
5. IfyoulaunchfiveAmazonElasticComputeCloud(AmazonEC2)instancesinanAmazonVirtualPrivateCloud(AmazonVPC)withoutspecifyingasecuritygroup,theinstanceswillbelaunchedintoadefaultsecuritygroupthatprovideswhichofthefollowing?(Choose3answers)
A. ThefiveAmazonEC2instancescancommunicatewitheachother.
B. ThefiveAmazonEC2instancescannotcommunicatewitheachother.
C. AllinboundtrafficwillbeallowedtothefiveAmazonEC2instances.
D. NoinboundtrafficwillbeallowedtothefiveAmazonEC2instances.
E. AlloutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.
F. NooutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.
6. YourcompanywantstohostitssecurewebapplicationinAWS.Theinternalsecuritypoliciesconsideranyconnectionstoorfromthewebserverasinsecureandrequireapplicationdataprotection.Whatapproachesshouldyouusetoprotectdataintransitfortheapplication?(Choose2answers)
A. UseBitLockertoencryptdata.
B. UseHTTPSwithservercertificateauthentication.
C. UseanAWSIdentityandAccessManagement(IAM)role.
D. UseSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)fordatabaseconnection.
E. UseXMLfordatatransferfromclienttoserver.
7. YouhaveanapplicationthatwillrunonanAmazonElasticComputeCloud(AmazonEC2)instance.TheapplicationwillmakerequeststoAmazonSimpleStorageService(AmazonS3)andAmazonDynamoDB.Usingbestpractices,whattypeofAWSIdentityandAccessManagement(IAM)identityshouldyoucreateforyourapplicationtoaccesstheidentifiedservices?
A. IAMrole
B. IAMuser
C. IAMgroup
D. IAMdirectory
8. WhenarequestismadetoanAWSCloudservice,therequestisevaluatedtodecidewhetheritshouldbeallowedordenied.Theevaluationlogicfollowswhichofthefollowingrules?(Choose3answers)
A. Anexplicitallowoverridesanydenies.
B. Bydefault,allrequestsaredenied.
C. Anexplicitallowoverridesthedefault.
D. Anexplicitdenyoverridesanyallows.
E. Bydefault,allrequestsareallowed.
9. WhatisthedataprocessingenginebehindAmazonElasticMapReduce(AmazonEMR)?
A. ApacheHadoop
B. ApacheHive
C. ApachePig
D. ApacheHBase
10. WhattypeofAWSElasticBeanstalkenvironmenttierprovisionsresourcestosupportawebapplicationthathandlesbackgroundprocessingtasks?
A. Webserverenvironmenttier
B. Workerenvironmenttier
C. Databaseenvironmenttier
D. Batchenvironmenttier
11. WhatAmazonRelationalDatabaseService(AmazonRDS)featureprovidesthehighavailabilityforyourdatabase?
A. Regularmaintenancewindows
B. Securitygroups
C. Automatedbackups
D. Multi-AZdeployment
12. WhatadministrativetasksarehandledbyAWSforAmazonRelationalDatabaseService(AmazonRDS)databases?(Choose3answers)
A. Regularbackupsofthedatabase
B. Deployingvirtualinfrastructure
C. Deployingtheschema(forexample,tablesandstoredprocedures)
D. Patchingtheoperatingsystemanddatabasesoftware
E. Settingupnon-admindatabaseaccountsandprivileges
13. WhichofthefollowingusecasesiswellsuitedforAmazonRedshift?
A. A500TBdatawarehouseusedformarketanalytics
B. ANoSQL,unstructureddatabaseworkload
C. Ahightraffic,e-commercewebapplication
D. Anin-memorycache
14. WhichofthefollowingstatementsaboutAmazonDynamoDBsecondaryindexesistrue?
A. Therecanbemanypertable,andtheycanbecreatedatanytime.
B. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.
C. Therecanbemanypertable,andtheycanbecreatedatanytime.
D. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.
15. WhatistheprimaryusecaseofAmazonKinesisFirehose?
A. Ingesthugestreamsofdataandallowcustomprocessingofdatainflight.
B. IngesthugestreamsofdataandstoreittoAmazonSimpleStorageService(AmazonS3),AmazonRedshift,orAmazonElasticsearchService.
C. GenerateahugestreamofdatafromanAmazonS3bucket.
D. GenerateahugestreamofdatafromAmazonDynamoDB.
16. Yourcompanyhas17TBoffinancialtradingrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanayearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcost-efficientmanner?
A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumeattachedtot2.largeinstances.
B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyear,anddeletetheobjectaftersevenyears.
C. StorethedatainAmazonDynamoDB,anddeletedataolderthansevenyears.
D. StorethedatainanAmazonGlacierVaultLock.
17. WhatmustyoudotocreatearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere?
A. EnableAmazonCloudWatchlogs.
B. Enableversioningonthebucket.
C. Enablewebsitehostingonthebucket.
D. Enableserveraccesslogsonthebucket.
E. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.
18. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?
A. GETafterPUTofanewobject
B. GETorLISTafteraDELETE
C. GETafteroverwritePUT(PUTtoanexistingkey)
D. DELETEafterGETofnewobject
19. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?
A. Dataisautomaticallyreplicatedtootherregions.
B. DataisautomaticallyreplicatedtodifferentAvailabilityZoneswithinaregion.
C. Dataisreplicatedonlyifversioningisenabledonthebucket.
D. Dataisautomaticallybackedupontapeandrestoredifneeded.
20. Yourcompanyneedstoprovidestreamingaccesstovideostoauthenticatedusersaroundtheworld.Whatisagoodwaytoaccomplishthis?
A. UseAmazonSimpleStorageService(AmazonS3)bucketsineachregionwithwebsitehostingenabled.
B. StorethevideosonAmazonElasticBlockStore(AmazonEBS)volumes.
C. EnableAmazonCloudFrontwithgeolocationandsignedURLs.
D. RunafleetofAmazonElasticComputeCloud(AmazonEC2)instancestohostthevideos.
21. WhichofthefollowingaretrueabouttheAWSsharedresponsibilitymodel?(Choose3answers)
A. AWSisresponsibleforallinfrastructurecomponents(thatis,AWSCloudservices)thatsupportcustomerdeployments.
B. Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).
C. ThecustomermayrelyonAWStomanagethesecurityoftheirworkloadsdeployedonAWS.
D. WhileAWSmanagessecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.
E. ThecustomermustaudittheAWSdatacenterspersonallytoconfirmthecomplianceofAWSsystemsandservices.
22. WhichprocessinanAmazonSimpleWorkflowService(AmazonSWF)workflowimplementsatask?
A. Decider
B. Activityworker
C. Workflowstarter
D. Businessrule
23. WhichofthefollowingistrueifyoustopanAmazonElasticComputeCloud(AmazonEC2)instancewithanElasticIPaddressinanAmazonVirtualPrivateCloud(AmazonVPC)?
A. TheinstanceisdisassociatedfromitsElasticIPaddressandmustbere-attachedwhentheinstanceisrestarted.
B. TheinstanceremainsassociatedwithitsElasticIPaddress.
C. TheElasticIPaddressisreleasedfromyouraccount.
D. TheinstanceisdisassociatedfromtheElasticIPaddresstemporarilywhileyourestarttheinstance.
24. WhichAmazonElasticComputeCloud(AmazonEC2)pricingmodelallowsyoutopaya
sethourlypriceforcompute,givingyoufullcontroloverwhentheinstancelaunchesandterminates?
A. Spotinstances
B. Reservedinstance
C. OnDemandinstances
D. Dedicatedinstances
25. UnderwhatcircumstanceswillAmazonElasticComputeCloud(AmazonEC2)instancestoredatanotbepreserved?
A. Theassociatedsecuritygroupsarechanged.
B. Theinstanceisstoppedorrebooted.
C. Theinstanceisrebootedorterminated.
D. Theinstanceisstoppedorterminated.
E. Noneoftheabove
AnswerstoAssessmentTest1. D.AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.
2. B.TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonElasticComputeCloud(AmazonEC2)instancesinoneormoreAvailabilityZoneswithinaregion.
3. AandB.AmazonCloudWatchhastwoplans:basicanddetailed.Therearenodiagnostic,precognitive,orretroactivemonitoringplansforAmazonCloudWatch.
4. B,C,andE.YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:
AttachanIGWtoyourAmazonVPC.
Createasubnetroutetableruletosendallnon-localtraffic(forexample,0.0.0.0/0)totheIGW.
ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.
YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:
AssignapublicIPaddressorEIPaddress.
5. A,D,andE.Ifasecuritygroupisnotspecifiedatlaunch,thenanAmazonEC2instancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.
6. BandD.Toprotectdataintransitfromtheclientstothewebapplication,HTTPSwithservercertificateauthenticationshouldbeused.Toprotectdataintransitfromthewebapplicationtothedatabase,SSL/TLSfordatabaseconnectionshouldbeused.
7. A.Don'tcreateanIAMuser(oranIAMgroup)andpasstheuser'scredentialstotheapplicationorembedthecredentialsintheapplication.Instead,createanIAMrolethatyouattachtotheAmazonEC2instancetogiveapplicationsrunningontheinstancetemporarysecuritycredentials.Thecredentialshavethepermissionsspecifiedinthepoliciesattachedtotherole.AdirectoryisnotanidentityobjectinIAM.
8. B,C,andD.Whenarequestismade,theAWSservicedecideswhetheragivenrequestshouldbeallowedordenied.Theevaluationlogicfollowstheserules:
1)Bydefault,allrequestsaredenied(ingeneral,requestsmadeusingtheaccountcredentialsforresourcesintheaccountarealwaysallowed).
2)Anexplicitallowoverridesthisdefault.
3)Anexplicitdenyoverridesanyallows.
9. A.AmazonEMRusesApacheHadoopasitsdistributeddataprocessingengine.Hadoopisanopensource,Javasoftwareframeworkthatsupportsdata-intensivedistributed
applicationsrunningonlargeclustersofcommodityhardware.Hive,Pig,andHBasearepackagesthatrunontopofHadoop.
10. B.Anenvironmenttierwhosewebapplicationrunsbackgroundjobsisknownasaworkertier.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Databaseandbatcharenotvalidenvironmenttiers.
11. D.Multi-AZdeploymentusessynchronousreplicationtoadifferentAvailabilityZonesothatoperationscancontinueonthereplicaifthemasterdatabasestopsrespondingforanyreason.Automatedbackupsprovidedisasterrecovery,nothighavailability.Securitygroups,whileimportant,havenoeffectonavailability.Maintenancewindowsareactuallytimeswhenthedatabasemaynotbeavailable.
12. A,B,andD.AmazonRDSwilllaunchAmazonElasticComputeCloud(AmazonEC2)instances,installthedatabasesoftware,handleallpatching,andperformregularbackups.Anythingwithinthedatabasesoftware(schema,useraccounts,andsoon)istheresponsibilityofthecustomer.
13. A.AmazonRedshiftisapetabyte-scaledatawarehouse.ItisnotwellsuitedforunstructuredNoSQLdataorhighlydynamictransactionaldata.Itisinnowayacache.
14. D.Therecanbeonesecondaryindexpertable,anditmustbecreatedwhenthetableiscreated.
15. B.TheAmazonKinesisfamilyofservicesprovidesfunctionalitytoingestlargestreamsofdata.AmazonKinesisFirehoseisspecificallydesignedtoingestastreamandsaveittoanyofthethreestorageserviceslistedinResponseB.
16. B.AmazonS3andAmazonGlacierarethemostcost-effectivestorageservices.Afterayear,whentheobjectsareunlikelytobeaccessed,youcansavecostsbytransferringtheobjectstoAmazonGlacierwheretheretrievaltimeisthreetofivehours.
17. D.ServeraccesslogsprovidearecordofanyaccesstoanobjectinAmazonS3.
18. C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).ResponseCchangestheexistingobjectsothatasubsequentGETmayfetchthepreviousandinconsistentobject.
19. B.AWSwillnevertransferdatabetweenregionsunlessdirectedtobyyou.DurabilityinAmazonS3isachievedbyreplicatingyourdatageographicallytodifferentAvailabilityZonesregardlessoftheversioningconfiguration.AWSdoesn'tusetapes.
20. C.AmazonCloudFrontprovidesthebestuserexperiencebydeliveringthedatafromageographicallyadvantageousedgelocation.SignedURLsallowyoutocontrolaccesstoauthenticatedusers.
21. A,B,andD.IntheAWSsharedresponsibilitymodel,customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.
22. B.Anactivityworkerisaprocessorthreadthatperformstheactivitytasksthatarepartofyourworkflow.EachactivityworkerpollsAmazonSWFfornewtasksthatare
appropriateforthatactivityworkertoperform;certaintaskscanbeperformedonlybycertainactivityworkers.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreportstoAmazonSWFthatthetaskwascompletedandprovidestheresult.Theactivitytaskrepresentsoneofthetasksthatyouidentifiedinyourapplication.
23. B.InanAmazonVPC,aninstance'sElasticIPaddressremainsassociatedwithaninstancewhentheinstanceisstopped.
24. C.YoupayasethourlypriceforanOnDemandinstancefromwhenyoulaunchituntilyouexplicitlystoporterminateit.Spotinstancescanbeterminatedwhenthespotpricegoesaboveyourbidprice.Reservedinstancesinvolvepayingforaninstanceoveraone-orthree-yearterm.Dedicatedinstancesrunonhardwarededicatedtoyouraccountandarenotapricingmodel.
25. D.Thedatainaninstancestorepersistsonlyduringthelifetimeofitsassociatedinstance.Ifaninstanceisstoppedorterminated,thentheinstancestoredoesnotpersist.Rebootinganinstancedoesnotshutdowntheinstance;ifaninstancereboots(intentionallyorunintentionally),dataontheinstancestorepersists.Securitygroupshavenothingtodowiththelifetimeofaninstanceandhavenoeffecthere.
Chapter1IntroductiontoAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
OperateandextendservicemanagementinahybridITarchitecture.
Configureservicestosupportcompliancerequirementsinthecloud.
LaunchinstancesacrosstheAWSglobalinfrastructure.
In2006,AmazonWebServices,Inc.(AWS)beganofferingITinfrastructureservicestobusinessesintheformofwebservices,nowcommonlyknownascloud
computing.Oneofthekeybenefitsofcloudcomputingistheopportunitytoreplaceup-frontcapitalinfrastructureexpenseswithlowvariablecoststhatscalewithyourbusiness.Withthecloud,businessesnolongerneedtoplanforandprocureserversandotherITinfrastructureweeksormonthsinadvance.Instead,theycaninstantlyspinuphundredsorthousandsofserversinminutesanddeliverresultsfaster.
Today,AWSprovidesahighlyreliable,scalable,andlow-costinfrastructureplatforminthecloudthatpowershundredsofthousandsofbusinessesinmorethan190countriesaroundtheworld.
ThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.
WhatIsCloudComputing?Cloudcomputingistheon-demanddeliveryofITresourcesandapplicationsviatheInternetwithpay-as-you-gopricing.Whetheryourunapplicationsthatsharephotostomillionsofmobileusersordeliverservicesthatsupportthecriticaloperationsofyourbusiness,thecloudprovidesrapidaccesstoflexibleandlow-costITresources.Withcloudcomputing,youdon’tneedtomakelargeup-frontinvestmentsinhardwareandspendalotoftimemanagingthathardware.Instead,youcanprovisionexactlytherighttypeandsizeofcomputingresourcesyouneedtopoweryournewestbrightideaoroperateyourITdepartment.Withcloudcomputing,youcanaccessasmanyresourcesasyouneed,almostinstantly,andonlypayforwhatyouuse.
Initssimplestform,cloudcomputingprovidesaneasywaytoaccessservers,storage,databases,andabroadsetofapplicationservicesovertheInternet.CloudcomputingproviderssuchasAWSownandmaintainthenetwork-connectedhardwarerequiredfortheseapplicationservices,whileyouprovisionandusewhatyouneedforyourworkloads.
AdvantagesofCloudComputingCloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andinhoworganizationsbudgetandpayfortechnologyservices.Withtheabilitytoreconfigurethecomputingenvironmentquicklytoadapttochangingbusinessrequirements,organizationscanoptimizespending.Capacitycanbeautomaticallyscaledupordowntomeetfluctuatingusagepatterns.Servicescanbetemporarilytakenofflineorshutdownpermanentlyasbusinessdemandsdictate.Inaddition,withpay-per-usebilling,AWSCloudservicesbecomeanoperationalexpenseinsteadofacapitalexpense.
Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain,asillustratedinFigure1.1.
FIGURE1.1Sixadvantagesofcloudcomputing
Variablevs.CapitalExpenseLet’sbeginwiththeabilitytotradecapitalexpenseforvariableoperationalexpense.Insteadofhavingtoinvestheavilyindatacentersandserversbeforeknowinghowyou’regoingtousethem,youcanpayonlywhenyouconsumecomputingresourcesandpayonlyforhowmuchyouconsume.
EconomiesofScaleAnotheradvantageofcloudcomputingisthatorganizationsbenefitfrommassiveeconomiesofscale.Byusingcloudcomputing,youcanachievealowervariablecostthanyouwouldgetonyourown.Becauseusagefromhundredsofthousandsofcustomersisaggregatedinthecloud,providerssuchasAWScanachievehighereconomiesofscale,whichtranslatesintolowerprices.
StopGuessingCapacityWhenyoumakeacapacitydecisionpriortodeployinganapplication,youoftenendupeithersittingonexpensiveidleresourcesordealingwithlimitedcapacity.Withcloudcomputing,organizationscanstopguessingaboutcapacityrequirementsfortheinfrastructurenecessarytomeettheirbusinessneeds.Theycanaccessasmuchoraslittleastheyneedandscaleupordownasrequiredwithonlyafewminutes’notice.
IncreaseSpeedandAgilityInacloudcomputingenvironment,newITresourcesareoneclickaway,whichallows
organizationstoreducethetimeittakestomakethoseresourcesavailabletodevelopersfromweekstojustminutes.Thisresultsinadramaticincreaseinspeedandagilityfortheorganization,becausethecostandtimeittakestoexperimentanddevelopissignificantlylower.
FocusonBusinessDifferentiatorsCloudcomputingallowsorganizationstofocusontheirbusinesspriorities,insteadofontheheavyliftingofracking,stacking,andpoweringservers.Byembracingthisparadigmshift,organizationscanstopspendingmoneyonrunningandmaintainingdatacenters.Thisallowsorganizationstofocusonprojectsthatdifferentiatetheirbusinesses,suchasanalyzingpetabytesofdata,deliveringvideocontent,buildinggreatmobileapplications,orevenexploringMars.
GoGlobalinMinutesAnotheradvantageofcloudcomputingistheabilitytogoglobalinminutes.Organizationscaneasilydeploytheirapplicationstomultiplelocationsaroundtheworldwithjustafewclicks.Thisallowsorganizationstoprovideredundancyacrosstheglobeandtodeliverlowerlatencyandbetterexperiencestotheircustomersatminimalcost.Goingglobalusedtobesomethingonlythelargestenterprisescouldaffordtodo,butcloudcomputingdemocratizesthisability,makingitpossibleforanyorganization.
Whilespecificquestionsontheseadvantagesofcloudcomputingareunlikelytobeontheexam,havingexposuretothesebenefitscanhelprationalizetheappropriateanswers.
CloudComputingDeploymentModelsThetwoprimarycloudcomputingdeploymentmodelsthattheexamfocusesonare“all-in”cloud-baseddeploymentsandhybriddeployments.Itisimportanttounderstandhoweachstrategyappliestoarchitecturaloptionsanddecisions.
Anall-incloud-basedapplicationisfullydeployedinthecloud,withallcomponentsoftheapplicationrunninginthecloud.Applicationsinthecloudhaveeitherbeencreatedinthecloudorhavebeenmigratedfromanexistinginfrastructuretotakeadvantageofthebenefitsofcloudcomputing.Cloud-basedapplicationscanbebuiltonlow-levelinfrastructurepiecesorcanusehigher-levelservicesthatprovideabstractionfromthemanagement,architecting,andscalingrequirementsofcoreinfrastructure.
Ahybriddeploymentisacommonapproachtakenbymanyenterprisesthatconnectsinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresources,typicallyinanexistingdatacenter.Themostcommonmethodofhybriddeploymentisbetweenthecloudandexistingon-premisesinfrastructuretoextendandgrowanorganization’sinfrastructurewhileconnectingcloudresourcestointernalsystems.Choosingbetweenanexistinginvestmentininfrastructureandmovingtotheclouddoesnotneedtobeabinarydecision.Leveragingdedicatedconnectivity,identityfederation,andintegratedtoolsallowsorganizationstorunhybridapplicationsacrosson-premisesandcloudservices.
AWSFundamentalsAtitscore,AWSprovideson-demanddeliveryofITresourcesviatheInternetonasecurecloudservicesplatform,offeringcomputepower,storage,databases,contentdelivery,andotherfunctionalitytohelpbusinessesscaleandgrow.UsingAWSresourcesinsteadofyourownislikepurchasingelectricityfromapowercompanyinsteadofrunningyourowngenerator,anditprovidesthekeyadvantagesofcloudcomputing:Capacityexactlymatchesyourneed,youpayonlyforwhatyouuse,economiesofscaleresultinlowercosts,andtheserviceisprovidedbyavendorexperiencedinrunninglarge-scalenetworks.
AWSglobalinfrastructureandAWSapproachtosecurityandcompliancearekeyfoundationalconceptstounderstandasyoupreparefortheexam.
GlobalInfrastructureAWSservesoveronemillionactivecustomersinmorethan190countries,anditcontinuestoexpanditsglobalinfrastructuresteadilytohelporganizationsachievelowerlatencyandhigherthroughputfortheirbusinessneeds.
AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionisaseparategeographicarea.Eachregionhasmultiple,isolatedlocationsknownasAvailabilityZones.AWSenablestheplacementofresourcesanddatainmultiplelocations.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.
Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.EachAvailabilityZoneisalsoisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.AvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower-riskfloodplains(specificfloodzonecategorizationvariesbyregion).Inadditiontousingadiscreteuninterruptablepowersupply(UPS)andon-sitebackupgenerators,theyareeachfedviadifferentgridsfromindependentutilities(whenavailable)toreducesinglepointsoffailurefurther.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.ByplacingresourcesinseparateAvailabilityZones,youcanprotectyourwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.
YoucanachievehighavailabilitybydeployingyourapplicationacrossmultipleAvailabilityZones.Redundantinstancesforeachtier(forexample,web,application,anddatabase)ofanapplicationshouldbeplacedindistinctAvailabilityZones,therebycreatingamultisitesolution.Ataminimum,thegoalistohaveanindependentcopyofeachapplicationstackintwoormoreAvailabilityZones.
SecurityandComplianceWhetheron-premisesoronAWS,informationsecurityisofparamountimportanceto
organizationsrunningcriticalworkloads.Securityisacorefunctionalrequirementthatprotectsmission-criticalinformationfromaccidentalordeliberatetheft,leakage,integritycompromise,anddeletion.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingyourtrustandconfidence.
ThissectionisintendedtoprovideaverybriefintroductiontoAWSapproachtosecurityandcompliance.Chapter12,“SecurityonAWS,”andChapter13,“AWSRiskandCompliance,”willaddressthesetopicsingreaterdetail,includingtheimportanceofeachontheexam.
SecurityCloudsecurityatAWSisthenumberonepriority.AllAWScustomersbenefitfromdatacenterandnetworkarchitecturesbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersofferhundredsoftoolsandfeaturestohelporganizationsmeettheirsecurityobjectivesforvisibility,auditability,controllability,andagility.Thismeansthatorganizationscanhavethesecuritytheyneed,butwithoutthecapitaloutlayandwithmuchloweroperationaloverheadthaninanon-premisesenvironment.
OrganizationsleveragingAWSinheritallthebestpracticesofAWSpolicies,architecture,andoperationalprocessesbuilttosatisfytherequirementsofthemostsecurity-sensitivecustomers.TheAWSinfrastructurehasbeendesignedtoprovidethehighestavailabilitywhileputtingstrongsafeguardsinplaceregardingcustomerprivacyandsegregation.WhendeployingsystemsontheAWSCloudcomputingplatform,AWShelpsbysharingthesecurityresponsibilitieswiththeorganization.AWSmanagestheunderlyinginfrastructure,andtheorganizationcansecureanythingitdeploysonAWS.Thisaffordseachorganizationtheflexibilityandagilitytheyneedinsecuritycontrols.
Thisinfrastructureisbuiltandmanagednotonlyaccordingtosecuritybestpracticesandstandards,butalsowiththeuniqueneedsofthecloudinmind.AWSusesredundantandlayeredcontrols,continuousvalidationandtesting,andasubstantialamountofautomationtoensurethattheunderlyinginfrastructureismonitoredandprotected24/7.AWSensuresthatthesecontrolsareconsistentlyappliedineverynewdatacenterorservice.
ComplianceWhencustomersmovetheirproductionworkloadstotheAWSCloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Customersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.CustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWSenablescustomerstobuildontraditionalcomplianceprograms.ThishelpsorganizationsestablishandoperateinanAWSsecuritycontrolenvironment.
Organizationsretaincompletecontrolandownershipovertheregioninwhichtheirdataisphysicallylocated,allowingthemtomeetregionalcomplianceanddataresidencyrequirements.
TheITinfrastructurethatAWSprovidestoorganizationsisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards.ThefollowingisapartiallistofthemanycertificationsandstandardswithwhichAWScomplies:
ServiceOrganizationControls(SOC)1/InternationalStandardonAssuranceEngagements(ISAE)3402,SOC2,andSOC3
FederalInformationSecurityManagementAct(FISMA),DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)
PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1
InternationalOrganizationforStandardization(ISO)9001,ISO27001,andISO27018
AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttohelporganizationsachieveregulatorycommitmentsintheformofreports,certifications,accreditations,andotherthird-partyattestations.
AWSCloudComputingPlatformAWSprovidesmanycloudservicesthatyoucancombinetomeetbusinessororganizationalneeds(seeFigure1.2).Whilebeingknowledgeableaboutalltheplatformserviceswillallowyoutobeawell-roundedsolutionsarchitect,understandingtheservicesandfundamentalconceptsoutlinedinthisbookwillhelpprepareyoufortheAWSCertifiedSolutionsArchitect–Associateexam.
FIGURE1.2AWSCloudcomputingplatform
ThissectionintroducesthemajorAWSCloudservicesbycategory.Subsequentchaptersprovideadeeperviewoftheservicespertinenttotheexam.
AccessingthePlatformToaccessAWSCloudservices,youcanusetheAWSManagementConsole,theAWSCommandLineInterface(CLI),ortheAWSSoftwareDevelopmentKits(SDKs).
TheAWSManagementConsoleisawebapplicationformanagingAWSCloudservices.Theconsoleprovidesanintuitiveuserinterfaceforperformingmanytasks.Eachservicehasitsownconsole,whichcanbeaccessedfromtheAWSManagementConsole.Theconsolealsoprovidesinformationabouttheaccountandbilling.
TheAWSCommandLineInterface(CLI)isaunifiedtoolusedtomanageAWSCloudservices.Withjustonetooltodownloadandconfigure,youcancontrolmultipleservicesfromthecommandlineandautomatethemthroughscripts.
TheAWSSoftwareDevelopmentKits(SDKs)provideanapplicationprogramminginterface(API)thatinteractswiththewebservicesthatfundamentallymakeuptheAWSplatform.TheSDKsprovidesupportformanydifferentprogramminglanguagesandplatformstoallowyoutoworkwithyourpreferredlanguage.WhileyoucancertainlymakeHTTPcallsdirectly
tothewebserviceendpoints,usingtheSDKscantakethecomplexityoutofcodingbyprovidingprogrammaticaccessformanyoftheservices.
ComputeandNetworkingServicesAWSprovidesavarietyofcomputeandnetworkingservicestodelivercorefunctionalityforbusinessestodevelopandruntheirworkloads.Thesecomputeandnetworkingservicescanbeleveragedwiththestorage,database,andapplicationservicestoprovideacompletesolutionforcomputing,queryprocessing,andstorageacrossawiderangeofapplications.Thissectionoffersahigh-leveldescriptionofthecorecomputingandnetworkingservices.
AmazonElasticComputeCloud(AmazonEC2)AmazonElasticComputeCloud(AmazonEC2)isawebservicethatprovidesresizablecomputecapacityinthecloud.ItallowsorganizationstoobtainandconfigurevirtualserversinAmazon’sdatacentersandtoharnessthoseresourcestobuildandhostsoftwaresystems.Organizationscanselectfromavarietyofoperatingsystemsandresourceconfigurations(memory,CPU,storage,andsoon)thatareoptimalfortheapplicationprofileofeachworkload.AmazonEC2presentsatruevirtualcomputingenvironment,allowingorganizationstolaunchcomputeresourceswithavarietyofoperatingsystems,loadthemwithcustomapplications,andmanagenetworkaccesspermissionswhilemaintainingcompletecontrol.
AWSLambdaAWSLambdaisazero-administrationcomputeplatformforback-endwebdevelopersthatrunsyourcodeforyouontheAWSCloudandprovidesyouwithafine-grainedpricingstructure.AWSLambdarunsyourback-endcodeonitsownAWScomputefleetofAmazonEC2instancesacrossmultipleAvailabilityZonesinaregion,whichprovidesthehighavailability,security,performance,andscalabilityoftheAWSinfrastructure.
AutoScalingAutoScalingallowsorganizationstoscaleAmazonEC2capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload(seeFigure1.3).NotonlycanitbeusedtohelpmaintainapplicationavailabilityandensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.Insteadofprovisioningforpeakload,organizationscanoptimizecostsanduseonlythecapacitythatisactuallyneeded.
FIGURE1.3Autoscalingcapacity
AutoScalingiswellsuitedbothtoapplicationsthathavestabledemandpatternsandtoapplicationsthatexperiencehourly,daily,orweeklyvariabilityinusage.
ElasticLoadBalancingElasticLoadBalancingautomaticallydistributesincomingapplicationtrafficacrossmultipleAmazonEC2instancesinthecloud.Itenablesorganizationstoachievegreaterlevelsoffaulttoleranceintheirapplications,seamlesslyprovidingtherequiredamountofloadbalancingcapacityneededtodistributeapplicationtraffic.
AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetawebapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.Itprovidessupportforavarietyofplatforms,includingPHP,Java,Python,Ruby,Node.js,.NET,andGo.WithAWSElasticBeanstalk,organizationsretainfullcontrolovertheAWSresourcespoweringtheapplicationandcanaccesstheunderlyingresourcesatanytime.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVirtualPrivateCloud(AmazonVPC)letsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.Organizationshavecompletecontroloverthevirtualenvironment,includingselectionoftheIPaddressrange,creationofsubnets,andconfigurationofroutetablesand
networkgateways.Inaddition,organizationscanextendtheircorporatedatacenternetworkstoAWSbyusinghardwareorsoftwarevirtualprivatenetwork(VPN)connectionsordedicatedcircuitsbyusingAWSDirectConnect.
AWSDirectConnectAWSDirectConnectallowsorganizationstoestablishadedicatednetworkconnectionfromtheirdatacentertoAWS.UsingAWSDirectConnect,organizationscanestablishprivateconnectivitybetweenAWSandtheirdatacenter,office,orcolocationenvironment,whichinmanycasescanreducenetworkcosts,increasebandwidththroughput,andprovideamoreconsistentnetworkexperiencethanInternet-basedVPNconnections.
AmazonRoute53AmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)webservice.Itisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplicationsbytranslatinghumanreadablenames,suchaswww.example.com,intothenumericIPaddresses,suchas192.0.2.1,thatcomputersusetoconnecttoeachother.AmazonRoute53alsoservesasdomainregistrar,allowingyoutopurchaseandmanagedomainsdirectlyfromAWS.
StorageandContentDeliveryAWSprovidesavarietyofservicestomeetyourstorageneeds,suchasAmazonSimpleStorageService,AmazonCloudFront,andAmazonElasticBlockStore.Thissectionprovidesanoverviewofthestorageandcontentdeliveryservices.
AmazonSimpleStorageService(AmazonS3)AmazonSimpleStorageService(AmazonS3)providesdevelopersandITteamswithhighlydurableandscalableobjectstoragethathandlesvirtuallyunlimitedamountsofdataandlargenumbersofconcurrentusers.Organizationscanstoreanynumberofobjectsofanytype,suchasHTMLpages,sourcecodefiles,imagefiles,andencrypteddata,andaccessthemusingHTTP-basedprotocols.AmazonS3providescost-effectiveobjectstorageforawidevarietyofusecases,includingbackupandrecovery,nearlinearchive,bigdataanalytics,disasterrecovery,cloudapplications,andcontentdistribution.
AmazonGlacierAmazonGlacierisasecure,durable,andextremelylow-coststorageservicefordataarchivingandlong-termbackup.Organizationscanreliablystorelargeorsmallamountsofdataforaverylowcostpergigabytepermonth.Tokeepcostslowforcustomers,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.AmazonS3integratescloselywithAmazonGlaciertoalloworganizationstochoosetherightstoragetierfortheirworkloads.
AmazonElasticBlockStore(AmazonEBS)AmazonElasticBlockStore(AmazonEBS)providespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectorganizationsfromcomponentfailure,offeringhigh
availabilityanddurability.Bydeliveringconsistentandlow-latencyperformance,AmazonEBSprovidesthediskstorageneededtorunawidevarietyofworkloads.
AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandtheAWSstorageinfrastructure.Theservicesupportsindustry-standardstorageprotocolsthatworkwithexistingapplications.Itprovideslow-latencyperformancebymaintainingacacheoffrequentlyaccesseddataon-premiseswhilesecurelystoringallofyourdataencryptedinAmazonS3orAmazonGlacier.
AmazonCloudFrontAmazonCloudFrontisacontentdeliverywebservice.ItintegrateswithotherAWSCloudservicestogivedevelopersandbusinessesaneasywaytodistributecontenttousersacrosstheworldwithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AmazonCloudFrontcanbeusedtodeliveryourentirewebsite,includingdynamic,static,streaming,andinteractivecontent,usingaglobalnetworkofedgelocations.Requestsforcontentareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformancetoendusersaroundtheglobe.
DatabaseServicesAWSprovidesfullymanagedrelationalandNoSQLdatabaseservices,andin-memorycachingasaserviceandapetabyte-scaledatawarehousesolution.Thissectionprovidesanoverviewoftheproductsthatthedatabaseservicescomprise.
AmazonRelationalDatabaseService(AmazonRDS)AmazonRelationalDatabaseService(AmazonRDS)providesafullymanagedrelationaldatabasewithsupportformanypopularopensourceandcommercialdatabaseengines.It’sacost-efficientservicethatallowsorganizationstolaunchsecure,highlyavailable,fault-tolerant,production-readydatabasesinminutes.BecauseAmazonRDSmanagestime-consumingadministrationtasks,includingbackups,softwarepatching,monitoring,scaling,andreplication,organizationalresourcescanfocusonrevenue-generatingapplicationsandbusinessinsteadofmundaneoperationaltasks.
AmazonDynamoDBAmazonDynamoDBisafastandflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.Itisafullymanageddatabaseandsupportsbothdocumentandkey/valuedatamodels.Itsflexibledatamodelandreliableperformancemakeitagreatfitformobile,web,gaming,ad-tech,InternetofThings,andmanyotherapplications.
AmazonRedshiftAmazonRedshiftisafast,fullymanaged,petabyte-scaledatawarehouseservicethatmakesitsimpleandcosteffectivetoanalyzestructureddata.AmazonRedshiftprovidesastandardSQLinterfacethatletsorganizationsuseexistingbusinessintelligencetools.Byleveraging
columnarstoragetechnologythatimprovesI/Oefficiencyandparallelizingqueriesacrossmultiplenodes,AmazonRedshiftisabletodeliverfastqueryperformance.TheAmazonRedshiftarchitectureallowsorganizationstoautomatemostofthecommonadministrativetasksassociatedwithprovisioning,configuring,andmonitoringaclouddatawarehouse.
AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesdeployment,operation,andscalingofanin-memorycacheinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingorganizationstoretrieveinformationfromfast,managed,in-memorycaches,insteadofrelyingentirelyonslower,disk-baseddatabases.Asofthiswriting,AmazonElastiCachesupportsMemcachedandRediscacheengines.
ManagementToolsAWSprovidesavarietyoftoolsthathelporganizationsmanageyourAWSresources.ThissectionprovidesanoverviewofthemanagementtoolsthatAWSprovidestoorganizations.
AmazonCloudWatchAmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsrunningonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.ByleveragingAmazonCloudWatch,organizationscangainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth.Byusingtheseinsights,organizationscanreact,asnecessary,tokeepapplicationsrunningsmoothly.
AWSCloudFormationAWSCloudFormationgivesdevelopersandsystemsadministratorsaneffectivewaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.AWSCloudFormationdefinesaJSON-basedtemplatinglanguagethatcanbeusedtodescribealltheAWSresourcesthatarenecessaryforaworkload.TemplatescanbesubmittedtoAWSCloudFormationandtheservicewilltakecareofprovisioningandconfiguringthoseresourcesinappropriateorder(seeFigure1.4).
FIGURE1.4AWSCloudFormationworkflowsummary
AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforanaccountanddeliverslogfilesforauditandreview.TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheservice.
AWSConfigAWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistingAWSresources,exportaninventoryoftheirAWSresourceswithallconfigurationdetails,anddeterminehowaresourcewasconfiguredatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
SecurityandIdentityAWSprovidessecurityandidentityservicesthathelporganizationssecuretheirdataandsystemsonthecloud.Thefollowingsectionexplorestheseservicesatahighlevel.
AWSIdentityandAccessManagement(IAM)AWSIdentityandAccessManagement(IAM)enablesorganizationstosecurelycontrolaccesstoAWSCloudservicesandresourcesfortheirusers.UsingIAM,organizationscancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresources.
AWSKeyManagementService(KMS)AWSKeyManagementService(KMS)isamanagedservicethatmakesiteasyfororganizationstocreateandcontroltheencryptionkeysusedtoencrypttheirdataandusesHardwareSecurityModules(HSMs)toprotectthesecurityofyourkeys.AWSKMSisintegratedwithseveralotherAWSCloudservicestohelpprotectdatastoredwiththeseservices.
AWSDirectoryServiceAWSDirectoryServiceallowsorganizationstosetupandrunMicrosoftActiveDirectoryontheAWSCloudorconnecttheirAWSresourceswithanexistingon-premisesMicrosoftActiveDirectory.Organizationscanuseittomanageusersandgroups,providesinglesign-ontoapplicationsandservices,createandapplyGroupPolicies,domainjoinAmazonEC2instances,andsimplifythedeploymentandmanagementofcloud-basedLinuxandMicrosoftWindowsworkloads.
AWSCertificateManagerAWSCertificateManagerisaservicethatletsorganizationseasilyprovision,manage,anddeploySecureSocketsLayer/TransportLayerSecurity(SSL/TLS)certificatesforusewithAWSCloudservices.Itremovesthetime-consumingmanualprocessofpurchasing,uploading,andrenewingSSL/TLScertificates.WithAWSCertificateManager,organizations
canquicklyrequestacertificate,deployitonAWSresourcessuchasElasticLoadBalancingorAmazonCloudFrontdistributions,andletAWSCertificateManagerhandlecertificaterenewals.
AWSWebApplicationFirewall(WAF)AWSWebApplicationFirewall(WAF)helpsprotectwebapplicationsfromcommonattacksandexploitsthatcouldaffectapplicationavailability,compromisesecurity,orconsumeexcessiveresources.AWSWAFgivesorganizationscontroloverwhichtraffictoalloworblocktotheirwebapplicationsbydefiningcustomizablewebsecurityrules.
ApplicationServicesAWSprovidesavarietyofmanagedservicestousewithapplications.Thefollowingsectionexplorestheapplicationservicesatahighlevel.
AmazonAPIGatewayAmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.OrganizationscancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromback-endservices,suchasworkloadsrunningonAmazonEC2,coderunningonAWSLambda,oranywebapplication.AmazonAPIGatewayhandlesallthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
AmazonElasticTranscoderAmazonElasticTranscoderismediatranscodinginthecloud.Itisdesignedtobeahighlyscalableandcost-effectivewayfordevelopersandbusinessestoconvert(ortranscode)mediafilesfromtheirsourceformatsintoversionsthatwillplaybackondeviceslikesmartphones,tablets,andPCs.
AmazonSimpleNotificationService(AmazonSNS)AmazonSimpleNotificationService(AmazonSNS)isawebservicethatcoordinatesandmanagesthedeliveryorsendingofmessagestorecipients.InAmazonSNS,therearetwotypesofclients—publishersandsubscribers—alsoreferredtoasproducersandconsumers.Publisherscommunicateasynchronouslywithsubscribersbyproducingandsendingamessagetoatopic,whichisalogicalaccesspointandcommunicationchannel.Subscribersconsumeorreceivethemessageornotificationoveroneofthesupportedprotocolswhentheyaresubscribedtothetopic.
AmazonSimpleEmailService(AmazonSES)AmazonSimpleEmailService(AmazonSES)isacost-effectiveemailservicethatorganizationscanusetosendtransactionalemail,marketingmessages,oranyothertypeofcontenttotheircustomers.AmazonSEScanalsobeusedtoreceivemessagesanddeliverthemtoanAmazonS3bucket,callcustomcodeviaanAWSLambdafunction,orpublishnotificationstoAmazonSNS.
AmazonSimpleWorkflowService(AmazonSWF)AmazonSimpleWorkflowService(AmazonSWF)helpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonSWFcanbethoughtofasafullymanagedstatetrackerandtaskcoordinatoronthecloud.Incommonarchitecturalpatterns,ifyourapplication’sstepstakemorethan500millisecondstocomplete,itisvitallyimportanttotrackthestateofprocessingandtoprovidetheabilitytorecoverorretryifataskfails.AmazonSWFhelpsorganizationsachievethisreliability.
AmazonSimpleQueueService(AmazonSQS)AmazonSimpleQueueService(AmazonSQS)isafast,reliable,scalable,fullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.
SummaryTheterm“cloudcomputing”referstotheon-demanddeliveryofITresourcesviatheInternetwithpay-as-you-gopricing.Insteadofbuying,owning,andmaintainingdatacentersandservers,organizationscanacquiretechnologysuchascomputepower,storage,databases,andotherservicesonanas-neededbasis.Withcloudcomputing,AWSmanagesandmaintainsthetechnologyinfrastructureinasecureenvironmentandbusinessesaccesstheseresourcesviatheInternettodevelopandruntheirapplications.Capacitycangroworshrinkinstantlyandbusinessespayonlyforwhattheyuse.
Cloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andhoworganizationsbudgetandpayfortechnologyservices.Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain.Understandingtheseadvantagesallowsarchitectstoshapesolutionsthatdelivercontinuousbenefitstoorganizations.
AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Thisenablesorganizationstoplaceresourcesanddatainmultiplelocationsaroundtheglobe.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingthetrustandconfidenceoforganizationsaroundtheworld.
AWSoffersabroadsetofglobalcompute,storage,database,analytics,application,anddeploymentservicesthathelporganizationsmovefaster,lowerITcosts,andscaleapplications.HavingabroadunderstandingoftheseservicesallowssolutionsarchitectstodesigneffectivedistributedapplicationsandsystemsontheAWSplatform.
ExamEssentialsUnderstandtheglobalinfrastructure.AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionislocatedinaseparategeographicareaandhasmultiple,isolatedlocationsknownasAvailabilityZones.
Understandregions.AnAWSregionisaphysicalgeographiclocationthatconsistsofaclusterofdatacenters.AWSregionsenabletheplacementofresourcesanddatainmultiplelocationsaroundtheglobe.Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.
UnderstandAvailabilityZones.AnAvailabilityZoneisoneormoredatacenterswithinaregionthataredesignedtobeisolatedfromfailuresinotherAvailabilityZones.AvailabilityZonesprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.ByplacingresourcesinseparateAvailabilityZones,organizationscanprotecttheirwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.
Understandthehybriddeploymentmodel.Ahybriddeploymentmodelisanarchitecturalpatternprovidingconnectivityforinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.
ReviewQuestions1. WhichofthefollowingdescribesaphysicallocationaroundtheworldwhereAWSclustersdatacenters?
A. Endpoint
B. Collection
C. Fleet
D. Region
2. EachAWSregioniscomposedoftwoormorelocationsthatofferorganizationstheabilitytooperateproductionsystemsthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.Whataretheselocationscalled?
A. AvailabilityZones
B. Replicationareas
C. Geographicdistricts
D. Computecenters
3. Whatisthedeploymenttermforanenvironmentthatextendsanexistingon-premisesinfrastructureintothecloudtoconnectcloudresourcestointernalsystems?
A. All-indeployment
B. Hybriddeployment
C. On-premisesdeployment
D. Scatterdeployment
4. WhichAWSCloudserviceallowsorganizationstogainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth?
A. AWSIdentityandAccessManagement(IAM)
B. AmazonSimpleNotificationService(AmazonSNS)
C. AmazonCloudWatch
D. AWSCloudFormation
5. WhichofthefollowingAWSCloudservicesisafullymanagedNoSQLdatabaseservice?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonDynamoDB
C. AmazonElastiCache
D. AmazonRelationalDatabaseService(AmazonRDS)
6. Yourcompanyexperiencesfluctuationsintrafficpatternstotheire-commercewebsite
basedonflashsales.Whatservicecanhelpyourcompanydynamicallymatchtherequiredcomputecapacitytothespikeintrafficduringflashsales?
A. AutoScaling
B. AmazonGlacier
C. AmazonSimpleNotificationService(AmazonSNS)
D. AmazonVirtualPrivateCloud(AmazonVPC)
7. Yourcompanyprovidesanonlinephotosharingservice.Thedevelopmentteamislookingforwaystodeliverimagefileswiththelowestlatencytoenduserssothewebsitecontentisdeliveredwiththebestpossibleperformance.Whatservicecanhelpspeedupdistributionoftheseimagefilestoendusersaroundtheworld?
A. AmazonElasticComputeCloud(AmazonEC2)
B. AmazonRoute53
C. AWSStorageGateway
D. AmazonCloudFront
8. YourcompanyrunsanAmazonElasticComputeCloud(AmazonEC2)instanceperiodicallytoperformabatchprocessingjobonalargeandgrowingfilesystem.Attheendofthebatchjob,youshutdowntheAmazonEC2instancetosavemoneybutneedtopersistthefilesystemontheAmazonEC2instancefromthepreviousbatchruns.WhatAWSCloudservicecanyouleveragetomeettheserequirements?
A. AmazonElasticBlockStore(AmazonEBS)
B. AmazonDynamoDB
C. AmazonGlacier
D. AWSCloudFormation
9. WhatAWSCloudserviceprovidesalogicallyisolatedsectionoftheAWSCloudwhereorganizationscanlaunchAWSresourcesinavirtualnetworkthattheydefine?
A. AmazonSimpleWorkflowService(AmazonSWF)
B. AmazonRoute53
C. AmazonVirtualPrivateCloud(AmazonVPC)
D. AWSCloudFormation
10. YourcompanyprovidesamobilevotingapplicationforapopularTVshow,and5to25millionviewersallvoteina15-secondtimespan.Whatmechanismcanyouusetodecouplethevotingapplicationfromyourback-endservicesthattallythevotes?
A. AWSCloudTrail
B. AmazonSimpleQueueService(AmazonSQS)
C. AmazonRedshift
D. AmazonSimpleNotificationService(AmazonSNS)
Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Developingtoclientspecifications,includingpricing/cost(e.g.,OnDemandvs.Reservedvs.Spot;RecoveryTimeObjective[RTO]andRecoveryPointObjective[RPO]disasterrecoverydesign)
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost)
HybridITarchitectures
Elasticityandscalability
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonSimpleStorageService(AmazonS3)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud.
LaunchinstancesacrosstheAWSglobalinfrastructure.
ConfigureAWSIdentityandAccessManagement(IAM)policiesandbestpractices.
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance
Contentmayincludethefollowing:
SecurityArchitecturewithAWS
“Core”AmazonS3securityfeaturesets
Encryptionsolutions(e.g.,keyservices)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)
IntroductionThischapterisintendedtoprovideyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.
AmazonS3providesdevelopersandITteamswithsecure,durable,andhighly-scalablecloudstorage.AmazonS3iseasy-to-useobjectstoragewithasimplewebserviceinterfacethatyoucanusetostoreandretrieveanyamountofdatafromanywhereontheweb.AmazonS3alsoallowsyoutopayonlyforthestorageyouactuallyuse,whicheliminatesthecapacityplanningandcapacityconstraintsassociatedwithtraditionalstorage.
AmazonS3isoneoffirstservicesintroducedbyAWS,anditservesasoneofthefoundationalwebservices—nearlyanyapplicationrunninginAWSusesAmazonS3,eitherdirectlyorindirectly.AmazonS3canbeusedaloneorinconjunctionwithotherAWSservices,anditoffersaveryhighlevelofintegrationwithmanyotherAWScloudservices.Forexample,AmazonS3servesasthedurabletargetstorageforAmazonKinesisandAmazonElasticMapReduce(AmazonEMR),itisusedasthestorageforAmazonElasticBlockStore(AmazonEBS)andAmazonRelationalDatabaseService(AmazonRDS)snapshots,anditisusedasadatastagingorloadingstoragemechanismforAmazonRedshiftandAmazonDynamoDB,amongmanyotherfunctions.BecauseAmazonS3issoflexible,sohighlyintegrated,andsocommonlyused,itisimportanttounderstandthisserviceindetail.
CommonusecasesforAmazonS3storageinclude:
Backupandarchiveforon-premisesorclouddata
Content,media,andsoftwarestorageanddistribution
Bigdataanalytics
Staticwebsitehosting
Cloud-nativemobileandInternetapplicationhosting
Disasterrecovery
Tosupporttheseusecasesandmanymore,AmazonS3offersarangeofstorageclassesdesignedforvariousgenericusecases:generalpurpose,infrequentaccess,andarchive.Tohelpmanagedatathroughitslifecycle,AmazonS3offersconfigurablelifecyclepolicies.Byusinglifecyclepolicies,youcanhaveyourdataautomaticallymigratetothemostappropriatestorageclass,withoutmodifyingyourapplicationcode.Inordertocontrolwhohasaccesstoyourdata,AmazonS3providesarichsetofpermissions,accesscontrols,andencryptionoptions.
AmazonGlacierisanothercloudstorageservicerelatedtoAmazonS3,butoptimizedfordataarchivingandlong-termbackupatextremelylowcost.AmazonGlacierissuitablefor“colddata,”whichisdatathatisrarelyaccessedandforwhicharetrievaltimeofthreetofivehoursisacceptable.AmazonGlaciercanbeusedbothasastorageclassofAmazonS3(seeStorageClassesandObjectLifecycleManagementtopicsintheAmazonS3AdvancedFeaturessection),andasanindependentarchivalstorageservice(seetheAmazonGlaciersection).
ObjectStorageversusTraditionalBlockandFileStorageIntraditionalITenvironments,twokindsofstoragedominate:blockstorageandfilestorage.Blockstorageoperatesatalowerlevel—therawstoragedevicelevel—andmanagesdataasasetofnumbered,fixed-sizeblocks.Filestorageoperatesatahigherlevel—theoperatingsystemlevel—andmanagesdataasanamedhierarchyoffilesandfolders.BlockandfilestorageareoftenaccessedoveranetworkintheformofaStorageAreaNetwork(SAN)forblockstorage,usingprotocolssuchasiSCSIorFibreChannel,orasaNetworkAttachedStorage(NAS)fileserveror“filer”forfilestorage,usingprotocolssuchasCommonInternetFileSystem(CIFS)orNetworkFileSystem(NFS).Whetherdirectly-attachedornetwork-attached,blockorfile,thiskindofstorageisverycloselyassociatedwiththeserverandtheoperatingsystemthatisusingthestorage.
AmazonS3objectstorageissomethingquitedifferent.AmazonS3iscloudobjectstorage.Insteadofbeingcloselyassociatedwithaserver,AmazonS3storageisindependentofaserverandisaccessedovertheInternet.InsteadofmanagingdataasblocksorfilesusingSCSI,CIFS,orNFSprotocols,dataismanagedasobjectsusinganApplicationProgramInterface(API)builtonstandardHTTPverbs.
EachAmazonS3objectcontainsbothdataandmetadata.Objectsresideincontainerscalledbuckets,andeachobjectisidentifiedbyauniqueuser-specifiedkey(filename).Bucketsareasimpleflatfolderwithnofilesystemhierarchy.Thatis,youcanhavemultiplebuckets,butyoucan’thaveasub-bucketwithinabucket.Eachbucketcanholdanunlimitednumberofobjects.
ItiseasytothinkofanAmazonS3object(orthedataportionofanobject)asafile,andthekeyasthefilename.However,keepinmindthatAmazonS3isnotatraditionalfilesystemanddiffersinsignificantways.InAmazonS3,youGETanobjectorPUTanobject,operatingonthewholeobjectatonce,insteadofincrementallyupdatingportionsoftheobjectasyouwouldwithafile.Youcan’t“mount”abucket,“open”anobject,installanoperatingsystemonAmazonS3,orrunadatabaseonit.
Insteadofafilesystem,AmazonS3ishighly-durableandhighly-scalableobjectstoragethatisoptimizedforreadsandisbuiltwithanintentionallyminimalisticfeatureset.Itprovidesasimpleandrobustabstractionforfilestoragethatfreesyoufrommanyunderlyingdetailsthatyounormallydohavetodealwithintraditionalstorage.Forexample,withAmazonS3youdon’thavetoworryaboutdeviceorfilesystemstoragelimitsandcapacityplanning—asinglebucketcanstoreanunlimitednumberoffiles.Youalsodon’tneedtoworryaboutdatadurabilityorreplicationacrossavailabilityzones—AmazonS3objectsareautomaticallyreplicatedonmultipledevicesinmultiplefacilitieswithinaregion.Thesamewithscalability—ifyourrequestrategrowssteadily,AmazonS3automaticallypartitionsbucketstosupportveryhighrequestratesandsimultaneousaccessbymanyclients.
IfyouneedtraditionalblockorfilestorageinadditiontoAmazonS3storage,AWSprovidesoptions.TheAmazonEBSserviceprovidesblocklevelstorageforAmazonElasticComputeCloud(AmazonEC2)instances.AmazonElasticFileSystem(AWSEFS)providesnetwork-attachedsharedfilestorage(NASstorage)usingtheNFSv4protocol.
AmazonSimpleStorageService(AmazonS3)BasicsNowthatyouhaveanunderstandingofsomeofthekeydifferencesbetweentraditionalblockandfilestorageversuscloudobjectstorage,wecanexplorethebasicsofAmazonS3inmoredetail.
BucketsAbucketisacontainer(webfolder)forobjects(files)storedinAmazonS3.EveryAmazonS3objectiscontainedinabucket.Bucketsformthetop-levelnamespaceforAmazonS3,andbucketnamesareglobal.ThismeansthatyourbucketnamesmustbeuniqueacrossallAWSaccounts,muchlikeDomainNameSystem(DNS)domainnames,notjustwithinyourownaccount.Bucketnamescancontainupto63lowercaseletters,numbers,hyphens,andperiods.Youcancreateandusemultiplebuckets;youcanhaveupto100peraccountbydefault.
ItisabestpracticetousebucketnamesthatcontainyourdomainnameandconformtotherulesforDNSnames.Thisensuresthatyourbucketnamesareyourown,canbeusedinallregions,andcanhoststaticwebsites.
AWSRegionsEventhoughthenamespaceforAmazonS3bucketsisglobal,eachAmazonS3bucketiscreatedinaspecificregionthatyouchoose.Thisletsyoucontrolwhereyourdataisstored.Youcancreateandusebucketsthatarelocatedclosetoaparticularsetofendusersorcustomersinordertominimizelatency,orlocatedinaparticularregiontosatisfydatalocalityandsovereigntyconcerns,orlocatedfarawayfromyourprimaryfacilitiesinordertosatisfydisasterrecoveryandcomplianceneeds.Youcontrolthelocationofyourdata;datainanAmazonS3bucketisstoredinthatregionunlessyouexplicitlycopyittoanotherbucketlocatedinadifferentregion.
ObjectsObjectsaretheentitiesorfilesstoredinAmazonS3buckets.Anobjectcanstorevirtuallyanykindofdatainanyformat.Objectscanrangeinsizefrom0bytesupto5TB,andasinglebucketcanstoreanunlimitednumberofobjects.ThismeansthatAmazonS3canstoreavirtuallyunlimitedamountofdata.
Eachobjectconsistsofdata(thefileitself)andmetadata(dataaboutthefile).ThedataportionofanAmazonS3objectisopaquetoAmazonS3.Thismeansthatanobject’sdataistreatedassimplyastreamofbytes—AmazonS3doesn’tknoworcarewhattypeofdatayouarestoring,andtheservicedoesn’tactdifferentlyfortextdataversusbinarydata.
ThemetadataassociatedwithanAmazonS3objectisasetofname/valuepairsthatdescribetheobject.Therearetwotypesofmetadata:systemmetadataandusermetadata.SystemmetadataiscreatedandusedbyAmazonS3itself,anditincludesthingslikethedatelastmodified,objectsize,MD5digest,andHTTPContent-Type.Usermetadataisoptional,anditcanonlybespecifiedatthetimeanobjectiscreated.Youcanusecustommetadatatotagyourdatawithattributesthataremeaningfultoyou.
Keys
EveryobjectstoredinanS3bucketisidentifiedbyauniqueidentifiercalledakey.Youcanthinkofthekeyasafilename.Akeycanbeupto1024bytesofUnicodeUTF-8characters,includingembeddedslashes,backslashes,dots,anddashes.
Keysmustbeuniquewithinasinglebucket,butdifferentbucketscancontainobjectswiththesamekey.Thecombinationofbucket,key,andoptionalversionIDuniquelyidentifiesanAmazonS3object.
ObjectURLAmazonS3isstoragefortheInternet,andeveryAmazonS3objectcanbeaddressedbyauniqueURLformedusingthewebservicesendpoint,thebucketname,andtheobjectkey.Forexample,withtheURL:http://mybucket.s3.amazonaws.com/jack.doc
mybucketistheS3bucketname,andjack.docisthekeyorfilename.Ifanotherobjectiscreated,forinstance:http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc
thenthebucketnameisstillmybucket,butnowthekeyorfilenameisthestringfee/fi/fo/fum/jack.doc.AkeymaycontaindelimitercharacterslikeslashesorbackslashestohelpyounameandlogicallyorganizeyourAmazonS3objects,buttoAmazonS3itissimplyalongkeynameinaflatnamespace.Thereisnoactualfileandfolderhierarchy.Seethetopic“PrefixesandDelimiters”inthe“AmazonS3AdvancedFeatures”sectionthatfollowsformoreinformation.
Forconvenience,theAmazonS3consoleandthePrefixandDelimiterfeatureallowyoutonavigatewithinanAmazonS3bucketasiftherewereafolderhierarchy.However,rememberthatabucketisasingleflatnamespaceofkeyswithnostructure.
AmazonS3OperationsTheAmazonS3APIisintentionallysimple,withonlyahandfulofcommonoperations.Theyinclude:
Create/deleteabucket
Writeanobject
Readanobject
Deleteanobject
Listkeysinabucket
RESTInterfaceThenativeinterfaceforAmazonS3isaREST(RepresentationalStateTransfer)API.WiththeRESTinterface,youusestandardHTTPorHTTPSrequeststocreateanddeletebuckets,listkeys,andreadandwriteobjects.RESTmapsstandardHTTP“verbs”(HTTPmethods)to
thefamiliarCRUD(Create,Read,Update,Delete)operations.CreateisHTTPPUT(andsometimesPOST);readisHTTPGET;deleteisHTTPDELETE;andupdateisHTTPPOST(orsometimesPUT).
AlwaysuseHTTPSforAmazonS3APIrequeststoensurethatyourrequestsanddataaresecure.
Inmostcases,usersdonotusetheRESTinterfacedirectly,butinsteadinteractwithAmazonS3usingoneofthehigher-levelinterfacesavailable.TheseincludetheAWSSoftwareDevelopmentKits(SDKs)(wrapperlibraries)foriOS,Android,JavaScript,Java,.NET,Node.js,PHP,Python,Ruby,Go,andC++,theAWSCommandLineInterface(CLI),andtheAWSManagementConsole.
AmazonS3originallysupportedaSOAP(SimpleObjectAccessProtocol)APIinadditiontotheRESTAPI,butyoushouldusetheRESTAPI.ThelegacyHTTPSendpointisstillavailable,butnewfeaturesarenotsupported.
DurabilityandAvailabilityDatadurabilityandavailabilityarerelatedbutslightlydifferentconcepts.Durabilityaddressesthequestion,“Willmydatastillbethereinthefuture?”Availabilityaddressesthequestion,“CanIaccessmydatarightnow?”AmazonS3isdesignedtoprovidebothveryhighdurabilityandveryhighavailabilityforyourdata.
AmazonS3standardstorageisdesignedfor99.999999999%durabilityand99.99%availabilityofobjectsoveragivenyear.Forexample,ifyoustore10,000objectswithAmazonS3,youcanonaverageexpecttoincuralossofasingleobjectonceevery10,000,000years.AmazonS3achieveshighdurabilitybyautomaticallystoringdataredundantlyonmultipledevicesinmultiplefacilitieswithinaregion.Itisdesignedtosustaintheconcurrentlossofdataintwofacilitieswithoutlossofuserdata.AmazonS3providesahighlydurablestorageinfrastructuredesignedformission-criticalandprimarydatastorage.
Ifyouneedtostorenon-criticaloreasilyreproduciblederiveddata(suchasimagethumbnails)thatdoesn’trequirethishighlevelofdurability,youcanchoosetouseReducedRedundancyStorage(RRS)atalowercost.RRSoffers99.99%durabilitywithalowercostofstoragethantraditionalAmazonS3storage.
EventhoughAmazonS3storageoffersveryhighdurabilityattheinfrastructurelevel,itisstillabestpracticetoprotectagainstuser-levelaccidentaldeletionoroverwritingofdatabyusingadditionalfeaturessuchasversioning,cross-regionreplication,andMFADelete.
DataConsistencyAmazonS3isaneventuallyconsistentsystem.Becauseyourdataisautomaticallyreplicatedacrossmultipleserversandlocationswithinaregion,changesinyourdatamaytakesometimetopropagatetoalllocations.Asaresult,therearesomesituationswhereinformationthatyoureadimmediatelyafteranupdatemayreturnstaledata.
ForPUTstonewobjects,thisisnotaconcern—inthiscase,AmazonS3providesread-after-writeconsistency.However,forPUTstoexistingobjects(objectoverwritetoanexistingkey)andforobjectDELETEs,AmazonS3provideseventualconsistency.
EventualconsistencymeansthatifyouPUTnewdatatoanexistingkey,asubsequentGETmightreturntheolddata.Similarly,ifyouDELETEanobject,asubsequentGETforthatobjectmightstillreadthedeletedobject.Inallcases,updatestoasinglekeyareatomic—foreventually-consistentreads,youwillgetthenewdataortheolddata,butneveraninconsistentmixofdata.
AccessControlAmazonS3issecurebydefault;whenyoucreateabucketorobjectinAmazonS3,onlyyouhaveaccess.Toallowyoutogivecontrolledaccesstoothers,AmazonS3providesbothcoarse-grainedaccesscontrols(AmazonS3AccessControlLists[ACLs]),andfine-grainedaccesscontrols(AmazonS3bucketpolicies,AWSIdentityandAccessManagement[IAM]policies,andquery-stringauthentication).
AmazonS3ACLsallowyoutograntcertaincoarse-grainedpermissions:READ,WRITE,orFULL-CONTROLattheobjectorbucketlevel.ACLsarealegacyaccesscontrolmechanism,createdbeforeIAMexisted.ACLsarebestusedtodayforalimitedsetofusecases,suchasenablingbucketloggingormakingabucketthathostsastaticwebsitebeworld-readable.
AmazonS3bucketpoliciesaretherecommendedaccesscontrolmechanismforAmazonS3andprovidemuchfiner-grainedcontrol.AmazonS3bucketpoliciesareverysimilartoIAMpolicies,whichwerediscussedinChapter6,“AWSIdentityandAccessManagement(IAM),”butaresubtlydifferentinthat:
TheyareassociatedwiththebucketresourceinsteadofanIAMprincipal.
TheyincludeanexplicitreferencetotheIAMprincipalinthepolicy.ThisprincipalcanbeassociatedwithadifferentAWSaccount,soAmazonS3bucketpoliciesallowyoutoassigncross-accountaccesstoAmazonS3resources.
UsinganAmazonS3bucketpolicy,youcanspecifywhocanaccessthebucket,fromwhere(byClasslessInter-DomainRouting[CIDR]blockorIPaddress),andduringwhattimeofday.
Finally,IAMpoliciesmaybeassociateddirectlywithIAMprincipalsthatgrantaccesstoanAmazonS3bucket,justasitcangrantaccesstoanyAWSserviceandresource.Obviously,youcanonlyassignIAMpoliciestoprincipalsinAWSaccountsthatyoucontrol.
StaticWebsiteHostingAverycommonusecaseforAmazonS3storageisstaticwebsitehosting.Manywebsites,particularlymicro-sites,don’tneedtheservicesofafullwebserver.Astaticwebsitemeans
thatallofthepagesofthewebsitecontainonlystaticcontentanddonotrequireserver-sideprocessingsuchasPHP,ASP.NET,orJSP.(Notethatthisdoesnotmeanthatthewebsitecannotbeinteractiveanddynamic;thiscanbeaccomplishedwithclient-sidescripts,suchasJavaScriptembeddedinstaticHTMLwebpages.)Staticwebsiteshavemanyadvantages:theyareveryfast,veryscalable,andcanbemoresecurethanatypicaldynamicwebsite.IfyouhostastaticwebsiteonAmazonS3,youcanalsoleveragethesecurity,durability,availability,andscalabilityofAmazonS3.
BecauseeveryAmazonS3objecthasaURL,itisrelativelystraightforwardtoturnabucketintoawebsite.Tohostastaticwebsite,yousimplyconfigureabucketforwebsitehostingandthenuploadthecontentofthestaticwebsitetothebucket.
ToconfigureanAmazonS3bucketforstaticwebsitehosting:
1. Createabucketwiththesamenameasthedesiredwebsitehostname.
2. Uploadthestaticfilestothebucket.
3. Makeallthefilespublic(worldreadable).
4. Enablestaticwebsitehostingforthebucket.ThisincludesspecifyinganIndexdocumentandanErrordocument.
5. ThewebsitewillnowbeavailableattheS3websiteURL:
<bucket-name>.s3-website-<AWS-region>.amazonaws.com.
6. CreateafriendlyDNSnameinyourowndomainforthewebsiteusingaDNSCNAME,oranAmazonRoute53aliasthatresolvestotheAmazonS3websiteURL.
7. Thewebsitewillnowbeavailableatyourwebsitedomainname.
AmazonS3AdvancedFeaturesBeyondthebasics,therearesomeadvancedfeaturesofAmazonS3thatyoushouldalsobefamiliarwith.
PrefixesandDelimitersWhileAmazonS3usesaflatstructureinabucket,itsupportstheuseofprefixanddelimiterparameterswhenlistingkeynames.Thisfeatureletsyouorganize,browse,andretrievetheobjectswithinabuckethierarchically.Typically,youwoulduseaslash(/)orbackslash(\)asadelimiterandthenusekeynameswithembeddeddelimiterstoemulateafileandfolderhierarchywithintheflatobjectkeynamespaceofabucket.
Forexample,youmightwanttostoreaseriesofserverlogsbyservername(suchasserver42),butorganizedbyyearandmonth,likeso:
logs/2016/January/server42.log
logs/2016/February/server42.log
logs/2016/March/server42.log
TheRESTAPI,wrapperSDKs,AWSCLI,andtheAmazonManagementConsoleallsupporttheuseofdelimitersandprefixes.Thisfeatureletsyoulogicallyorganizenewdataandeasilymaintainthehierarchicalfolder-and-filestructureofexistingdatauploadedorbackedupfromtraditionalfilesystems.UsedtogetherwithIAMorAmazonS3bucketpolicies,prefixesanddelimitersalsoallowyoutocreatetheequivalentofdepartmental“subdirectories”oruser“homedirectories”withinasinglebucket,restrictingorsharingaccesstothese“subdirectories”(definedbyprefixes)asneeded.
UsedelimitersandobjectprefixestohierarchicallyorganizetheobjectsinyourAmazonS3buckets,butalwaysrememberthatAmazonS3isnotreallyafilesystem.
StorageClassesAmazonS3offersarangeofstorageclassessuitableforvarioususecases.
AmazonS3Standardoffershighdurability,highavailability,lowlatency,andhighperformanceobjectstorageforgeneralpurposeuse.Becauseitdeliverslowfirst-bytelatencyandhighthroughput,Standardiswell-suitedforshort-termorlong-termstorageoffrequentlyaccesseddata.Formostgeneralpurposeusecases,AmazonS3Standardistheplacetostart.
AmazonS3Standard–InfrequentAccess(Standard-IA)offersthesamedurability,lowlatency,andhighthroughputasAmazonS3Standard,butisdesignedforlong-lived,lessfrequentlyaccesseddata.Standard-IAhasalowerperGB-monthstoragecostthanStandard,butthepricemodelalsoincludesaminimumobjectsize(128KB),minimumduration(30days),andper-GBretrievalcosts,soitisbestsuitedforinfrequentlyaccesseddatathatisstoredforlongerthan30days.
AmazonS3ReducedRedundancyStorage(RRS)offersslightlylowerdurability(4nines)thanStandardorStandard-IAatareducedcost.Itismostappropriateforderiveddatathatcanbeeasilyreproduced,suchasimagethumbnails.
Finally,theAmazonGlacierstorageclassofferssecure,durable,andextremelylow-costcloudstoragefordatathatdoesnotrequirereal-timeaccess,suchasarchivesandlong-termbackups.Tokeepcostslow,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.ToretrieveanAmazonGlacierobject,youissuearestorecommandusingoneoftheAmazonS3APIs;threetofivehourslater,theAmazonGlacierobjectiscopiedtoAmazonS3RRS.NotethattherestoresimplycreatesacopyinAmazonS3RRS;theoriginaldataobjectremainsinAmazonGlacieruntilexplicitlydeleted.AlsobeawarethatAmazonGlacierallowsyoutoretrieveupto5%oftheAmazonS3datastoredinAmazonGlacierforfreeeachmonth;restoresbeyondthedailyrestoreallowanceincurarestorefee.RefertotheAmazonGlacierpricingpageontheAWSwebsiteforfulldetails.
InadditiontoactingasastoragetierinAmazonS3,AmazonGlacierisalsoastandalonestorageservicewithaseparateAPIandsomeuniquecharacteristics.However,whenyouuseAmazonGlacierasastorageclassofAmazonS3,youalwaysinteractwiththedataviatheAmazonS3APIs.RefertotheAmazonGlaciersectionformoredetails.
SetadataretrievalpolicytolimitrestorestothefreetierortoamaximumGB-per-hourlimittoavoidorminimizeAmazonGlacierrestorefees.
ObjectLifecycleManagementAmazonS3ObjectLifecycleManagementisroughlyequivalenttoautomatedstoragetieringintraditionalITstorageinfrastructures.Inmanycases,datahasanaturallifecycle,startingoutas“hot”(frequentlyaccessed)data,movingto“warm”(lessfrequentlyaccessed)dataasitages,andendingitslifeas“cold”(long-termbackuporarchive)databeforeeventualdeletion.
Forexample,manybusinessdocumentsarefrequentlyaccessedwhentheyarecreated,thenbecomemuchlessfrequentlyaccessedovertime.Inmanycases,however,compliancerulesrequirebusinessdocumentstobearchivedandkeptaccessibleforyears.Similarly,studiesshowthatfile,operatingsystem,anddatabasebackupsaremostfrequentlyaccessedinthefirstfewdaysaftertheyarecreated,usuallytorestoreafteraninadvertenterror.Afteraweekortwo,thesebackupsremainacriticalasset,buttheyaremuchlesslikelytobeaccessedforarestore.Inmanycases,compliancerulesrequirethatacertainnumberofbackupsbekeptforseveralyears.
UsingAmazonS3lifecycleconfigurationrules,youcansignificantlyreduceyourstoragecostsbyautomaticallytransitioningdatafromonestorageclasstoanotherorevenautomaticallydeletingdataafteraperiodoftime.Forexample,thelifecyclerulesforbackupdatamightbe:
StorebackupdatainitiallyinAmazonS3Standard.
After30days,transitiontoAmazonStandard-IA.
After90days,transitiontoAmazonGlacier.
After3years,delete.
Lifecycleconfigurationsareattachedtothebucketandcanapplytoallobjectsinthebucketoronlytoobjectsspecifiedbyaprefix.
EncryptionItisstronglyrecommendedthatallsensitivedatastoredinAmazonS3beencrypted,bothinflightandatrest.
ToencryptyourAmazonS3datainflight,youcanusetheAmazonS3SecureSocketsLayer(SSL)APIendpoints.ThisensuresthatalldatasenttoandfromAmazonS3isencryptedwhileintransitusingtheHTTPSprotocol.
ToencryptyourAmazonS3dataatrest,youcanuseseveralvariationsofServer-SideEncryption(SSE).AmazonS3encryptsyourdataattheobjectlevelasitwritesittodisksinitsdatacentersanddecryptsitforyouwhenyouaccessit.AllSSEperformedbyAmazonS3andAWSKeyManagementService(AmazonKMS)usesthe256-bitAdvancedEncryptionStandard(AES).YoucanalsoencryptyourAmazonS3dataatrestusingClient-SideEncryption,encryptingyourdataontheclientbeforesendingittoAmazonS3.
SSE-S3(AWS-ManagedKeys)Thisisafullyintegrated“check-box-style”encryptionsolutionwhereAWShandlesthekeymanagementandkeyprotectionforAmazonS3.Everyobjectisencryptedwithauniquekey.Theactualobjectkeyitselfisthenfurtherencryptedbyaseparatemasterkey.Anewmasterkeyisissuedatleastmonthly,withAWSrotatingthekeys.Encrypteddata,encryptionkeys,andmasterkeysareallstoredseparatelyonsecurehosts,furtherenhancingprotection.
SSE-KMS(AWSKMSKeys)ThisisafullyintegratedsolutionwhereAmazonhandlesyourkeymanagementandprotectionforAmazonS3,butwhereyoumanagethekeys.SSE-KMSoffersseveraladditionalbenefitscomparedtoSSE-S3.UsingSSE-KMS,thereareseparatepermissionsforusingthemasterkey,whichprovideprotectionagainstunauthorizedaccesstoyourobjectsstoredinAmazonS3andanadditionallayerofcontrol.AWSKMSalsoprovidesauditing,soyoucanseewhousedyourkeytoaccesswhichobjectandwhentheytriedtoaccessthisobject.AWSKMSalsoallowsyoutoviewanyfailedattemptstoaccessdatafromuserswhodidnothavepermissiontodecryptthedata.
SSE-C(Customer-ProvidedKeys)Thisisusedwhenyouwanttomaintainyourownencryptionkeysbutdon’twanttomanageorimplementyourownclient-sideencryptionlibrary.WithSSE-C,AWSwilldotheencryption/decryptionofyourobjectswhileyoumaintainfullcontrolofthekeysusedtoencrypt/decrypttheobjectsinAmazonS3.
Client-SideEncryptionClient-sideencryptionreferstoencryptingdataontheclientsideofyourapplicationbeforesendingittoAmazonS3.Youhavethefollowingtwooptionsforusingdataencryptionkeys:
UseanAWSKMS-managedcustomermasterkey.
Useaclient-sidemasterkey.
Whenusingclient-sideencryption,youretainend-to-endcontroloftheencryptionprocess,includingmanagementoftheencryptionkeys.
Formaximumsimplicityandeaseofuse,useserver-sideencryptionwithAWS-managedkeys(SSE-S3orSSE-KMS).
VersioningAmazonS3versioninghelpsprotectsyourdataagainstaccidentalormaliciousdeletionbykeepingmultipleversionsofeachobjectinthebucket,identifiedbyauniqueversionID.Versioningallowsyoutopreserve,retrieve,andrestoreeveryversionofeveryobjectstoredinyourAmazonS3bucket.IfausermakesanaccidentalchangeorevenmaliciouslydeletesanobjectinyourS3bucket,youcanrestoretheobjecttoitsoriginalstatesimplybyreferencingtheversionIDinadditiontothebucketandobjectkey.Versioningisturnedonatthebucketlevel.Onceenabled,versioningcannotberemovedfromabucket;itcanonlybesuspended.
MFADeleteMFADeleteaddsanotherlayerofdataprotectionontopofbucketversioning.MFADeleterequiresadditionalauthenticationinordertopermanentlydeleteanobjectversionorchangetheversioningstateofabucket.Inadditiontoyournormalsecuritycredentials,MFADeleterequiresanauthenticationcode(atemporary,one-timepassword)generatedbyahardwareorvirtualMulti-FactorAuthentication(MFA)device.NotethatMFADeletecanonlybeenabledbytherootaccount.
Pre-SignedURLsAllAmazonS3objectsbydefaultareprivate,meaningthatonlytheownerhasaccess.However,theobjectownercanoptionallyshareobjectswithothersbycreatingapre-signedURL,usingtheirownsecuritycredentialstogranttime-limitedpermissiontodownloadtheobjects.Whenyoucreateapre-signedURLforyourobject,youmustprovideyoursecuritycredentialsandspecifyabucketname,anobjectkey,theHTTPmethod(GETtodownloadtheobject),andanexpirationdateandtime.Thepre-signedURLsarevalidonlyforthespecifiedduration.Thisisparticularlyusefultoprotectagainst“contentscraping”ofwebcontentsuchasmediafilesstoredinAmazonS3.
MultipartUploadTobettersupportuploadingorcopyingoflargeobjects,AmazonS3providestheMultipartUploadAPI.Thisallowsyoutouploadlargeobjectsasasetofparts,whichgenerallygivesbetternetworkutilization(throughparalleltransfers),theabilitytopauseandresume,andtheabilitytouploadobjectswherethesizeisinitiallyunknown.
Multipartuploadisathree-stepprocess:initiation,uploadingtheparts,andcompletion(or
abort).Partscanbeuploadedindependentlyinarbitraryorder,withretransmissionifneeded.Afterallofthepartsareuploaded,AmazonS3assemblesthepartsinordertocreateanobject.
Ingeneral,youshouldusemultipartuploadforobjectslargerthan100Mbytes,andyoumustusemultipartuploadforobjectslargerthan5GB.Whenusingthelow-levelAPIs,youmustbreakthefiletobeuploadedintopartsandkeeptrackoftheparts.Whenusingthehigh-levelAPIsandthehigh-levelAmazonS3commandsintheAWSCLI(awss3cp,awss3mv,andawss3sync),multipartuploadisautomaticallyperformedforlargeobjects.
Youcansetanobjectlifecyclepolicyonabuckettoabortincompletemultipartuploadsafteraspecifiednumberofdays.Thiswillminimizethestoragecostsassociatedwithmultipartuploadsthatwerenotcompleted.
RangeGETsItispossibletodownload(GET)onlyaportionofanobjectinbothAmazonS3andAmazonGlacierbyusingsomethingcalledaRangeGET.UsingtheRangeHTTPheaderintheGETrequestorequivalentparametersinoneoftheSDKwrapperlibraries,youspecifyarangeofbytesoftheobject.ThiscanbeusefulindealingwithlargeobjectswhenyouhavepoorconnectivityortodownloadonlyaknownportionofalargeAmazonGlacierbackup.
Cross-RegionReplicationCross-regionreplicationisafeatureofAmazonS3thatallowsyoutoasynchronouslyreplicateallnewobjectsinthesourcebucketinoneAWSregiontoatargetbucketinanotherregion.AnymetadataandACLsassociatedwiththeobjectarealsopartofthereplication.Afteryousetupcross-regionreplicationonyoursourcebucket,anychangestothedata,metadata,orACLsonanobjecttriggeranewreplicationtothedestinationbucket.Toenablecross-regionreplication,versioningmustbeturnedonforbothsourceanddestinationbuckets,andyoumustuseanIAMpolicytogiveAmazonS3permissiontoreplicateobjectsonyourbehalf.
Cross-regionreplicationiscommonlyusedtoreducethelatencyrequiredtoaccessobjectsinAmazonS3byplacingobjectsclosertoasetofusersortomeetrequirementstostorebackupdataatacertaindistancefromtheoriginalsourcedata.
Ifturnedoninanexistingbucket,cross-regionreplicationwillonlyreplicatenewobjects.Existingobjectswillnotbereplicatedandmustbecopiedtothenewbucketviaaseparatecommand.
LoggingInordertotrackrequeststoyourAmazonS3bucket,youcanenableAmazonS3serveraccesslogs.Loggingisoffbydefault,butitcaneasilybeenabled.Whenyouenableloggingfora
bucket(thesourcebucket),youmustchoosewherethelogswillbestored(thetargetbucket).Youcanstoreaccesslogsinthesamebucketorinadifferentbucket.Eitherway,itisoptional(butabestpractice)tospecifyaprefix,suchaslogs/oryourbucketname/logs/,sothatyoucanmoreeasilyidentifyyourlogs.
Onceenabled,logsaredeliveredonabest-effortbasiswithaslightdelay.Logsincludeinformationsuchas:
RequestoraccountandIPaddress
Bucketname
Requesttime
Action(GET,PUT,LIST,andsoforth)
Responsestatusorerrorcode
EventNotificationsAmazonS3eventnotificationscanbesentinresponsetoactionstakenonobjectsuploadedorstoredinAmazonS3.Eventnotificationsenableyoutorunworkflows,sendalerts,orperformotheractionsinresponsetochangesinyourobjectsstoredinAmazonS3.YoucanuseAmazonS3eventnotificationstosetuptriggerstoperformactions,suchastranscodingmediafileswhentheyareuploaded,processingdatafileswhentheybecomeavailable,andsynchronizingAmazonS3objectswithotherdatastores.
AmazonS3eventnotificationsaresetupatthebucketlevel,andyoucanconfigurethemthroughtheAmazonS3console,throughtheRESTAPI,orbyusinganAWSSDK.AmazonS3canpublishnotificationswhennewobjectsarecreated(byaPUT,POST,COPY,ormultipartuploadcompletion),whenobjectsareremoved(byaDELETE),orwhenAmazonS3detectsthatanRRSobjectwaslost.Youcanalsosetupeventnotificationsbasedonobjectnameprefixesandsuffixes.NotificationmessagescanbesentthrougheitherAmazonSimpleNotificationService(AmazonSNS)orAmazonSimpleQueueService(AmazonSQS)ordelivereddirectlytoAWSLambdatoinvokeAWSLambdafunctions.
BestPractices,Patterns,andPerformanceItisacommonpatterntouseAmazonS3storageinhybridITenvironmentsandapplications.Forexample,datainon-premisesfilesystems,databases,andcompliancearchivescaneasilybebackedupovertheInternettoAmazonS3orAmazonGlacier,whiletheprimaryapplicationordatabasestorageremainson-premises.
AnothercommonpatternistouseAmazonS3asbulk“blob”storagefordata,whilekeepinganindextothatdatainanotherservice,suchasAmazonDynamoDBorAmazonRDS.Thisallowsquicksearchesandcomplexqueriesonkeynameswithoutlistingkeyscontinually.
AmazonS3willscaleautomaticallytosupportveryhighrequestrates,automaticallyre-partitioningyourbucketsasneeded.Ifyouneedrequestrateshigherthan100requestspersecond,youmaywanttoreviewtheAmazonS3bestpracticesguidelinesintheDeveloperGuide.Tosupporthigherrequestrates,itisbesttoensuresomelevelofrandomdistributionofkeys,forexamplebyincludingahashasaprefixtokeynames.
IfyouareusingAmazonS3inaGET-intensivemode,suchasastaticwebsitehosting,forbestperformanceyoushouldconsiderusinganAmazonCloudFrontdistributionasacachinglayerinfrontofyourAmazonS3bucket.
AmazonGlacierAmazonGlacierisanextremelylow-coststorageservicethatprovidesdurable,secure,andflexiblestoragefordataarchivingandonlinebackup.Tokeepcostslow,AmazonGlacierisdesignedforinfrequentlyaccesseddatawherearetrievaltimeofthreetofivehoursisacceptable.
AmazonGlaciercanstoreanunlimitedamountofvirtuallyanykindofdata,inanyformat.CommonusecasesforAmazonGlacierincludereplacementoftraditionaltapesolutionsforlong-termbackupandarchiveandstorageofdatarequiredforcompliancepurposes.Inmostcases,thedatastoredinAmazonGlacierconsistsoflargeTAR(TapeArchive)orZIPfiles.
LikeAmazonS3,AmazonGlacierisextremelydurable,storingdataonmultipledevicesacrossmultiplefacilitiesinaregion.AmazonGlacierisdesignedfor99.999999999%durabilityofobjectsoveragivenyear.
ArchivesInAmazonGlacier,dataisstoredinarchives.Anarchivecancontainupto40TBofdata,andyoucanhaveanunlimitednumberofarchives.EacharchiveisassignedauniquearchiveIDatthetimeofcreation.(UnlikeanAmazonS3objectkey,youcannotspecifyauser-friendlyarchivename.)Allarchivesareautomaticallyencrypted,andarchivesareimmutable—afteranarchiveiscreated,itcannotbemodified.
VaultsVaultsarecontainersforarchives.EachAWSaccountcanhaveupto1,000vaults.YoucancontrolaccesstoyourvaultsandtheactionsallowedusingIAMpoliciesorvaultaccesspolicies.
VaultsLocksYoucaneasilydeployandenforcecompliancecontrolsforindividualAmazonGlaciervaultswithavaultlockpolicy.YoucanspecifycontrolssuchasWriteOnceReadMany(WORM)inavaultlockpolicyandlockthepolicyfromfutureedits.Oncelocked,thepolicycannolongerbechanged.
DataRetrievalYoucanretrieveupto5%ofyourdatastoredinAmazonGlacierforfreeeachmonth,calculatedonadailyproratedbasis.Ifyouretrievemorethan5%,youwillincurretrievalfeesbasedonyourmaximumretrievalrate.Toeliminateorminimizethosefees,youcansetadataretrievalpolicyonavaulttolimityourretrievalstothefreetierortoaspecifieddatarate.
AmazonGlacierversusAmazonSimpleStorageService(AmazonS3)AmazonGlacierissimilartoAmazonS3,butitdiffersinseveralkeyaspects.AmazonGlaciersupports40TBarchivesversus5TBobjectsinAmazonS3.ArchivesinAmazonGlacierare
identifiedbysystem-generatedarchiveIDs,whileAmazonS3letsyouuse“friendly”keynames.AmazonGlacierarchivesareautomaticallyencrypted,whileencryptionatrestisoptionalinAmazonS3.However,byusingAmazonGlacierasanAmazonS3storageclasstogetherwithobjectlifecyclepolicies,youcanusetheAmazonS3interfacetogetmostofthebenefitsofAmazonGlacierwithoutlearninganewinterface.
SummaryAmazonS3isthecoreobjectstorageserviceonAWS,allowingyoutostoreanunlimitedamountofdatawithveryhighdurability.
CommonAmazonS3usecasesincludebackupandarchive,webcontent,bigdataanalytics,staticwebsitehosting,mobileandcloud-nativeapplicationhosting,anddisasterrecovery.
AmazonS3isintegratedwithmanyotherAWScloudservices,includingAWSIAM,AWSKMS,AmazonEC2,AmazonEBS,AmazonEMR,AmazonDynamoDB,AmazonRedshift,AmazonSQS,AWSLambda,andAmazonCloudFront.
Objectstoragediffersfromtraditionalblockandfilestorage.Blockstoragemanagesdataatadevicelevelasaddressableblocks,whilefilestoragemanagesdataattheoperatingsystemlevelasfilesandfolders.Objectstoragemanagesdataasobjectsthatcontainbothdataandmetadata,manipulatedbyanAPI.
AmazonS3bucketsarecontainersforobjectsstoredinAmazonS3.Bucketnamesmustbegloballyunique.Eachbucketiscreatedinaspecificregion,anddatadoesnotleavetheregionunlessexplicitlycopiedbytheuser.
AmazonS3objectsarefilesstoredinbuckets.Objectscanbeupto5TBandcancontainanykindofdata.Objectscontainbothdataandmetadataandareidentifiedbykeys.EachAmazonS3objectcanbeaddressedbyauniqueURLformedbythewebservicesendpoint,thebucketname,andtheobjectkey.
AmazonS3hasaminimalisticAPI—create/deleteabucket,read/write/deleteobjects,listkeysinabucket—andusesaRESTinterfacebasedonstandardHTTPverbs—GET,PUT,POST,andDELETE.YoucanalsouseSDKwrapperlibraries,theAWSCLI,andtheAWSManagementConsoletoworkwithAmazonS3.
AmazonS3ishighlydurableandhighlyavailable,designedfor11ninesofdurabilityofobjectsinagivenyearandfourninesofavailability.
AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyfornewobjectPUTs.
AmazonS3objectsareprivatebydefault,accessibleonlytotheowner.Objectscanbemarkedpublicreadabletomakethemaccessibleontheweb.ControlledaccessmaybeprovidedtoothersusingACLsandAWSIAMandAmazonS3bucketpolicies.
StaticwebsitescanbehostedinanAmazonS3bucket.
Prefixesanddelimitersmaybeusedinkeynamestoorganizeandnavigatedatahierarchicallymuchlikeatraditionalfilesystem.
AmazonS3offersseveralstorageclassessuitedtodifferentusecases:Standardisdesignedforgeneral-purposedataneedinghighperformanceandlowlatency.Standard-IAisforlessfrequentlyaccesseddata.RRSofferslowerredundancyatlowercostforeasilyreproduceddata.AmazonGlacierofferslow-costdurablestorageforarchiveandlong-termbackupsthatcanarerarelyaccessedandcanacceptathree-tofive-hourretrievaltime.
Objectlifecyclemanagementpoliciescanbeusedtoautomaticallymovedatabetween
storageclassesbasedontime.
AmazonS3datacanbeencryptedusingserver-sideorclient-sideencryption,andencryptionkeyscanbemanagedwithAmazonKMS.
VersioningandMFADeletecanbeusedtoprotectagainstaccidentaldeletion.
Cross-regionreplicationcanbeusedtoautomaticallycopynewobjectsfromasourcebucketinoneregiontoatargetbucketinanotherregion.
Pre-signedURLsgranttime-limitedpermissiontodownloadobjectsandcanbeusedtoprotectmediaandotherwebcontentfromunauthorized“webscraping.”
Multipartuploadcanbeusedtouploadlargeobjects,andRangeGETscanbeusedtodownloadportionsofanAmazonS3objectorAmazonGlacierarchive.
Serveraccesslogscanbeenabledonabuckettotrackrequestor,object,action,andresponse.
AmazonS3eventnotificationscanbeusedtosendanAmazonSQSorAmazonSNSmessageortotriggeranAWSLambdafunctionwhenanobjectiscreatedordeleted.
AmazonGlaciercanbeusedasastandaloneserviceorasastorageclassinAmazonS3.
AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Youcanhaveupto1,000vaults,andeachvaultcanstoreanunlimitednumberofarchives.
AmazonGlaciervaultscanbelockedforcompliancepurposes.
ExamEssentialsKnowwhatamazons3isandwhatitiscommonlyusedfor.AmazonS3issecure,durable,andhighlyscalablecloudstoragethatcanbeusedtostoreanunlimitedamountofdatainalmostanyformatusingasimplewebservicesinterface.Commonusecasesincludebackupandarchive,contentstorageanddistribution,bigdataanalytics,staticwebsitehosting,cloud-nativeapplicationhosting,anddisasterrecovery.
Understandhowobjectstoragediffersfromblockandfilestorage.AmazonS3cloudobjectstoragemanagesdataattheapplicationlevelasobjectsusingaRESTAPIbuiltonHTTP.BlockstoragemanagesdataattheoperatingsystemlevelasnumberedaddressableblocksusingprotocolssuchasSCSIorFibreChannel.FilestoragemanagesdataassharedfilesattheoperatingsystemlevelusingaprotocolsuchasCIFSorNFS.
UnderstandthebasicsofAmazonS3.AmazonS3storesdatainobjectsthatcontaindataandmetadata.Objectsareidentifiedbyauser-definedkeyandarestoredinasimpleflatfoldercalledabucket.InterfacesincludeanativeRESTinterface,SDKsformanylanguages,anAWSCLI,andtheAWSManagementConsole.
Knowhowtocreateabucket;howtoupload,download,anddeleteobjects;howtomakeobjectspublic;andhowtoopenanobjectURL.
Understandthedurability,availability,anddataconsistencymodelofAmazonS3.AmazonS3standardstorageisdesignedfor11ninesdurabilityandfourninesavailabilityofobjectsoverayear.Otherstorageclassesdiffer.AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyforPUTstonewobjects.
KnowhowtoenablestaticwebsitehostingonAmazonS3.TocreateastaticwebsiteonAmazonS3,youmustcreateabucketwiththewebsitehostname,uploadyourstaticcontentandmakeitpublic,enablestaticwebsitehostingonthebucket,andindicatetheindexanderrorpageobjects.
KnowhowtoprotectyourdataonAmazonS3.EncryptdatainflightusingHTTPSandatrestusingSSEorclient-sideencryption.Enableversioningtokeepmultipleversionsofanobjectinabucket.EnableMFADeletetoprotectagainstaccidentaldeletion.UseACLsAmazonS3bucketpoliciesandAWSIAMpoliciesforaccesscontrol.Usepre-signedURLsfortime-limiteddownloadaccess.Usecross-regionreplicationtoautomaticallyreplicatedatatoanotherregion.
KnowtheusecaseforeachoftheAmazonS3storageclasses.Standardisforgeneralpurposedatathatneedshighdurability,highperformance,andlowlatencyaccess.Standard-IAisfordatathatislessfrequentlyaccessed,butthatneedsthesameperformanceandavailabilitywhenaccessed.RRSofferslowerdurabilityatlowercostforeasilyreplicateddata.AmazonGlacierisforstoringrarelyaccessedarchivaldataatlowestcost,whenthree-tofive-hourretrievaltimeisacceptable.
Knowhowtouselifecycleconfigurationrules.LifecyclerulescanbeconfiguredintheAWSManagementConsoleortheAPIs.Lifecycleconfigurationrulesdefineactionstotransitionobjectsfromonestorageclasstoanotherbasedontime.
KnowhowtouseAmazonS3eventnotifications.Eventnotificationsaresetatthe
bucketlevelandcantriggeramessageinAmazonSNSorAmazonSQSoranactioninAWSLambdainresponsetoanuploadoradeleteofanobject.
Knowthebasicsofamazonglacierasastandaloneservice.Dataisstoredinencryptedarchivesthatcanbeaslargeas40TB.ArchivestypicallycontainTARorZIPfiles.Vaultsarecontainersforarchives,andvaultscanbelockedforcompliance.
ExercisesForassistanceincompletingthefollowingexercises,referencethefollowingdocumentation:
GettingstartedwithAmazonS3:http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html
Settingupastaticwebsite:http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html
Usingversioning:http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
ObjectLifecycleManagement:http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
EXERCISE2.1
CreateanAmazonSimpleStorageService(AmazonS3)BucketInthisexercise,youwillcreateanewAmazonS3bucketinyourselectedregion.Youwillusethisbucketinthefollowingexercises.
1. LogintotheAWSManagementConsole.
2. Chooseanappropriateregion,suchasUSWest(Oregon).
3. NavigatetotheAmazonS3console.NoticethattheregionindicatornowsaysGlobal.RememberthatAmazonS3bucketsformaglobalnamespace,eventhougheachbucketiscreatedinaspecificregion.
4. Startthecreatebucketprocess.
5. WhenpromptedforBucketName,usemynewbucket.
6. Choosearegion,suchasUSWest(Oregon).
7. Trytocreatethebucket.Youalmostsurelywillgetamessagethattherequestedbucketnameisnotavailable.Rememberthatabucketnamemustbeuniqueglobally.
8. Tryagainusingyoursurnamefollowedbyahyphenandthentoday’sdateinasix-digitformatasthebucketname(abucketnamethatisnotlikelytoexistalready).
YoushouldnowhaveanewAmazonS3bucket.
EXERCISE2.2
Upload,MakePublic,Rename,andDeleteObjectsinYourBucket
Inthisexercise,youwilluploadanewobjecttoyourbucket.Youwillthenmakethisobjectpublicandviewtheobjectinyourbrowser.Youwillthenrenametheobjectandfinallydeleteitfromthebucket.
UploadanObject1. LoadyournewbucketintheAmazonS3console.
2. SelectUpload,thenAddFiles.
3. LocateafileonyourPCthatyouareokaywithuploadingtoAmazonS3andmakingpublictotheInternet.(Wesuggestusinganon-personalimagefileforthepurposesofthisexercise.)
4. Selectasuitablefile,thenStartUpload.YouwillseethestatusofyourfileintheTransferssection.
5. Afteryourfileisuploaded,thestatusshouldchangetoDone.
ThefileyouuploadedisnowstoredasanAmazonS3objectandshouldbenowlistedinthecontentsofyourbucket.
OpentheAmazonS3URL6. Nowopenthepropertiesfortheobject.Thepropertiesshouldincludebucket,name,
andlink.
7. CopytheAmazonS3URLfortheobject.
8. PastetheURLintheaddressbarofanewbrowserwindowortab.
YoushouldgetamessagewithanXMLerrorcodeAccessDenied.EventhoughtheobjecthasaURL,itisprivatebydefault,soitcannotbeaccessedbyawebbrowser.
MaketheObjectPublic9. GobacktotheAmazonS3ConsoleandselectMakePublic.(Equivalently,youcan
changetheobject’spermissionsandaddgranteeEveryoneandpermissionsOpen/Download.)
10. CopytheAmazonS3URLagainandtrytoopenitinabrowserortab.Yourpublicimagefileshouldnowdisplayinthebrowserorbrowsertab.
RenameObject11. IntheAmazonS3console,selectRename.
12. Renametheobject,butkeepthesamefileextension.
13. CopythenewAmazonS3URLandtrytoopenitinabrowserortab.Youshouldseethesameimagefile.
DeletetheObject14. IntheAmazonS3console,selectDelete.SelectOKwhenpromptedifyouwantto
deletetheobject.
15. Theobjecthasnowbeendeleted.
16. Toverify,trytoreloadthedeletedobject’sAmazonS3URL.
YoushouldonceagaingettheXMLAccessDeniederrormessage.
EXERCISE2.3
EnableVersionControl
Inthisexercise,youwillenableversioncontrolonyournewlycreatedbucket.
EnableVersioning1. IntheAmazonS3console,loadthepropertiesofyourbucket.Don’topenthebucket.
2. EnableversioninginthepropertiesandselectOKtoverify.Yourbucketnowhasversioningenabled.(Notethatversioningcanbesuspended,butnotturnedoff.)
CreateMultipleVersionsofanObject3. Createatextfilenamedfoo.txtonyourcomputerandwritethewordblueinthe
textfile.
4. Savethetextfiletoalocationofyourchoosing.
5. Uploadthetextfiletoyourbucket.Thiswillbeversion1.
6. Afteryouhaveuploadedthetextfiletoyourbucket,openthecopyonyourlocalcomputerandchangethewordbluetored.Savethetextfilewiththeoriginalfilename.
7. Uploadthemodifiedfiletoyourbucket.
8. SelectShowVersionsontheuploadedobject.
YouwillnowseetwodifferentversionsoftheobjectwithdifferentVersionIDsandpossiblydifferentsizes.NotethatwhenyouselectShowVersion,theAmazonS3URLnowincludestheversionIDinthequerystringaftertheobjectname.
EXERCISE2.4
DeleteanObjectandThenRestoreIt
Inthisexercise,youwilldeleteanobjectinyourAmazonS3bucketandthenrestoreit.
DeleteanObject1. Openthebucketcontainingthetextfileforwhichyounowhavetwoversions.
2. SelectHideVersions.
3. SelectDelete,andthenselectOKtoverify.
4. Yourobjectwillnowbedeleted,andyoucannolongerseetheobject.
5. SelectShowVersions.
BothversionsoftheobjectnowshowtheirversionIDs.
RestoreanObject6. Openyourbucket.
7. SelectShowVersions.
8. Selecttheoldestversionanddownloadtheobject.Notethatthefilenameissimplyfoo.txtwithnoversionindicator.
9. Uploadfoo.txttothesamebucket.
10. SelectHideVersions,andthefilefoo.txtshouldre-appear.
Torestoreaversion,youcopythedesiredversionintothesamebucket.IntheAmazonS3console,thisrequiresadownloadthenre-uploadoftheobject.UsingAPIs,SDKs,orAWSCLI,youcancopyaversiondirectlywithoutdownloadingandre-uploading.
EXERCISE2.5
LifecycleManagementInthisexercise,youwillexplorethevariousoptionsforlifecyclemanagement.
1. SelectyourbucketintheAmazonS3console.
2. UnderProperties,addaLifecycleRule.
3. Explorethevariousoptionstoaddlifecyclerulestoobjectsinthisbucket.Itisrecommendedthatyoudonotimplementanyoftheseoptions,asyoumayincuradditionalcosts.Afteryouhavefinished,clicktheCancelbutton.
Mostlifecyclerulesrequiresomenumberofdaystoexpirebeforethetransitiontakeseffect.Forexample,ittakesaminimumof30daystotransitionfromAmazonS3StandardtoAmazonS3Standard-IA.Thismakesitimpracticaltocreatealifecycleruleandseetheactualresultinanexercise.
EXERCISE2.6
EnableStaticHostingonYourBucketInthisexercise,youwillenablestatichostingonyournewlycreatedbucket.
1. SelectyourbucketintheAmazonS3console.
2. InthePropertiessection,selectEnableWebsiteHosting.
3. Fortheindexdocumentname,enterindex.txt,andfortheerrordocumentname,entererror.txt.
4. Useatexteditortocreatetwotextfilesandsavethemasindex.txtanderror.txt.Intheindex.txtfile,writethephrase“HelloWorld,”andintheerror.txtfile,writethephrase“ErrorPage.”Savebothtextfilesanduploadthemtoyourbucket.
5. Makethetwoobjectspublic.
6. CopytheEndpoint:linkunderStaticWebsiteHostingandpasteitinabrowserwindowortab.Youshouldnowseethephrase"HelloWorld"displayed.
7. Intheaddressbarinyourbrowser,tryaddingaforwardslashfollowedbyamade-upfilename(forexample,/test.html).Youshouldnowseethephrase"ErrorPage"displayed.
8. Tocleanup,deletealloftheobjectsinyourbucketandthendeletethebucketitself.
ReviewQuestions1. InwhatwaysdoesAmazonSimpleStorageService(AmazonS3)objectstoragedifferfromblockandfilestorage?(Choose2answers)
A. AmazonS3storesdatainfixedsizeblocks.
B. Objectsareidentifiedbyanumberedaddress.
C. Objectscanbeanysize.
D. Objectscontainbothdataandmetadata.
E. Objectsarestoredinbuckets.
2. WhichofthefollowingarenotappropriatesusecasesforAmazonSimpleStorageService(AmazonS3)?(Choose2answers)
A. Storingwebcontent
B. StoringafilesystemmountedtoanAmazonElasticComputeCloud(AmazonEC2)instance
C. Storingbackupsforarelationaldatabase
D. Primarystorageforadatabase
E. Storinglogsforanalytics
3. WhataresomeofthekeycharacteristicsofAmazonSimpleStorageService(AmazonS3)?(Choose3answers)
A. AllobjectshaveaURL.
B. AmazonS3canstoreunlimitedamountsofdata.
C. Objectsareworld-readablebydefault.
D. AmazonS3usesaREST(RepresentationalStateTransfer)ApplicationProgramInterface(API).
E. Youmustpre-allocatethestorageinabucket.
4. WhichfeaturescanbeusedtorestrictaccesstoAmazonSimpleStorageService(AmazonS3)data?(Choose3answers)
A. Enablestaticwebsitehostingonthebucket.
B. Createapre-signedURLforanobject.
C. UseanAmazonS3AccessControlList(ACL)onabucketorobject.
D. Usealifecyclepolicy.
E. UseanAmazonS3bucketpolicy.
5. YourapplicationstorescriticaldatainAmazonSimpleStorageService(AmazonS3),whichmustbeprotectedagainstinadvertentorintentionaldeletion.Howcanthisdatabeprotected?(Choose2answers)
A. Usecross-regionreplicationtocopydatatoanotherbucketautomatically.
B. Setavaultlock.
C. Enableversioningonthebucket.
D. UsealifecyclepolicytomigratedatatoAmazonGlacier.
E. EnableMFADeleteonthebucket.
6. YourcompanystoresdocumentsinAmazonSimpleStorageService(AmazonS3),butitwantstominimizecost.Mostdocumentsareusedactivelyforonlyaboutamonth,thenmuchlessfrequently.However,alldataneedstobeavailablewithinminuteswhenrequested.Howcanyoumeettheserequirements?
A. MigratethedatatoAmazonS3ReducedRedundancyStorage(RRS)after30days.
B. MigratethedatatoAmazonGlacierafter30days.
C. MigratethedatatoAmazonS3Standard–InfrequentAccess(IA)after30days.
D. Turnonversioning,thenmigratetheolderversiontoAmazonGlacier.
7. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?
A. Dataisautomaticallyreplicatedtootherregions.
B. Dataisautomaticallyreplicatedwithinaregion.
C. Dataisreplicatedonlyifversioningisenabledonthebucket.
D. Dataisautomaticallybackedupontapeandrestoredifneeded.
8. BasedonthefollowingAmazonSimpleStorageService(AmazonS3)URL,whichoneofthefollowingstatementsiscorrect?
https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc
A. Theobject“myfile.doc”isstoredinthefolder“folderx”inthebucket“bucket1.abc.com.”
B. Theobject“myfile.doc”isstoredinthebucket“bucket1.abc.com.”
C. Theobject“folderx/myfile.doc”isstoredinthebucket“bucket1.abc.com.”
D. Theobject“myfile.doc”isstoredinthebucket“bucket1.”
9. TohavearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere,youshoulddowhat?
A. Enableversioningonthebucket.
B. Enablewebsitehostingonthebucket.
C. Enableserveraccesslogsonthebucket.
D. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.
E. EnableAmazonCloudWatchlogs.
10. Whataresomereasonstoenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)
A. Youwantabackupofyourdataincaseofaccidentaldeletion.
B. Youhaveasetofusersorcustomerswhocanaccessthesecondbucketwithlowerlatency.
C. Forcompliancereasons,youneedtostoredatainalocationatleast300milesawayfromthefirstregion.
D. Yourdataneedsatleastfiveninesofdurability.
11. Yourcompanyrequiresthatalldatasenttoexternalstoragebeencryptedbeforebeingsent.WhichAmazonSimpleStorageService(AmazonS3)encryptionsolutionwillmeetthisrequirement?
A. Server-SideEncryption(SSE)withAWS-managedkeys(SSE-S3)
B. SSEwithcustomer-providedkeys(SSE-C)
C. Client-sideencryptionwithcustomer-managedkeys
D. Server-sideencryptionwithAWSKeyManagementService(AWSKMS)keys(SSE-KMS)
12. YouhaveapopularwebapplicationthataccessesdatastoredinanAmazonSimpleStorageService(AmazonS3)bucket.Youexpecttheaccesstobeveryread-intensive,withexpectedrequestratesofupto500GETspersecondfrommanyclients.HowcanyouincreasetheperformanceandscalabilityofAmazonS3inthiscase?
A. Turnoncross-regionreplicationtoensurethatdataisservedfrommultiplelocations.
B. Ensurerandomnessinthenamespacebyincludingahashprefixtokeynames.
C. Turnonserveraccesslogging.
D. Ensurethatkeynamesaresequentialtoenablepre-fetch.
13. Whatisneededbeforeyoucanenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)
A. Enableversioningonthebucket.
B. Enablealifecycleruletomigratedatatothesecondregion.
C. Enablestaticwebsitehosting.
D. CreateanAWSIdentityandAccessManagement(IAM)policytoallowAmazonS3toreplicateobjectsonyourbehalf.
14. Yourcompanyhas100TBoffinancialrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanone-yearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcostefficientmanner?
A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumesattachedtot2.microinstances.
B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyearanddeletetheobject
aftersevenyears.
C. StorethedatainAmazonDynamoDBandrundailyscripttodeletedataolderthansevenyears.
D. StorethedatainAmazonElasticMapReduce(AmazonEMR).
15. AmazonSimpleStorageService(S3)bucketpoliciescanrestrictaccesstoanAmazonS3bucketandobjectsbywhichofthefollowing?(Choose3answers)
A. Companyname
B. IPaddressrange
C. AWSaccount
D. Countryoforigin
E. Objectswithaspecificprefix
16. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?(Choose2answers)
A. GETafterPUTofanewobject
B. GETorLISTafteraDELETE
C. GETafteroverwritePUT(PUTtoanexistingkey)
D. DELETEafterPUTofnewobject
17. WhatmustbedonetohostastaticwebsiteinanAmazonSimpleStorageService(AmazonS3)bucket?(Choose3answers)
A. Configurethebucketforstatichostingandspecifyanindexanderrordocument.
B. Createabucketwiththesamenameasthewebsite.
C. EnableFileTransferProtocol(FTP)onthebucket.
D. Maketheobjectsinthebucketworld-readable.
E. EnableHTTPonthebucket.
18. YouhavevaluablemediafileshostedonAWSandwantthemtobeservedonlytoauthenticatedusersofyourwebapplication.Youareconcernedthatyourcontentcouldbestolenanddistributedforfree.Howcanyouprotectyourcontent?
A. Usestaticwebhosting.
B. Generatepre-signedURLsforcontentinthewebapplication.
C. UseAWSIdentityandAccessManagement(IAM)policiestorestrictaccess.
D. Useloggingtotrackyourcontent.
19. AmazonGlacieriswell-suitedtodatathatiswhichofthefollowing?(Choose2answers)
A. Isinfrequentlyorrarelyaccessed
B. Mustbeimmediatelyavailablewhenneeded
C. Isavailableafterathree-tofive-hourrestoreperiod
D. Isfrequentlyerasedwithin30days
20. WhichstatementsaboutAmazonGlacieraretrue?(Choose3answers)
A. AmazonGlacierstoresdatainobjectsthatliveinarchives.
B. AmazonGlacierarchivesareidentifiedbyuser-specifiedkeynames.
C. AmazonGlacierarchivestakethreetofivehourstorestore.
D. AmazonGlaciervaultscanbelocked.
E. AmazonGlaciercanbeusedasastandaloneserviceandasanAmazonS3storageclass.
Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
ConfigureanAmazonMachineImage(AMI)
Configureservicestosupportcompliancerequirementsinthecloud
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
Contentmayincludethefollowing:
Disasterrecovery
AmazonEB
IntroductionInthischapter,youlearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:
HowinstancetypesandAmazonMachineImages(AMIs)definethecapabilitiesofinstancesyoulaunchonthecloud
Howtosecurelyaccessyourinstancesrunningonthecloud
Howtoprotectyourinstanceswithvirtualfirewallscalledsecuritygroups
Howtohaveyourinstancesconfigurethemselvesforunattendedlaunch
Howtomonitorandmanageyourinstancesonthecloud
Howtochangethecapabilitiesofanexistinginstance
Thepaymentoptionsavailableforthebestmixofaffordabilityandflexibility
Howtenancyoptionsandplacementgroupsprovideoptionstooptimizecomplianceandperformance
HowinstancestoresdifferfromAmazonEBSvolumesandwhentheyareeffective
WhattypesofvolumesareavailablethroughAmazonEBS
HowtoprotectyourdataonAmazonEBS
AmazonElasticComputeCloud(AmazonEC2)AmazonEC2isAWSprimarywebservicethatprovidesresizablecomputecapacityinthecloud.
ComputeBasicsComputereferstotheamountofcomputationalpowerrequiredtofulfillyourworkload.Ifyourworkloadisverysmall,suchasawebsitethatreceivesfewvisitors,thenyourcomputeneedsareverysmall.Alargeworkload,suchasscreeningtenmillioncompoundsagainstacommoncancertarget,mightrequireagreatdealofcompute.Theamountofcomputeyouneedmightchangedrasticallyovertime.
AmazonEC2allowsyoutoacquirecomputethroughthelaunchingofvirtualserverscalledinstances.Whenyoulaunchaninstance,youcanmakeuseofthecomputeasyouwish,justasyouwouldwithanon-premisesserver.Becauseyouarepayingforthecomputingpoweroftheinstance,youarechargedperhourwhiletheinstanceisrunning.Whenyoustoptheinstance,youarenolongercharged.
TherearetwoconceptsthatarekeytolaunchinginstancesonAWS:(1)theamountofvirtualhardwarededicatedtotheinstanceand(2)thesoftwareloadedontheinstance.Thesetwodimensionsofnewinstancesarecontrolled,respectively,bytheinstancetypeandtheAMI.
InstanceTypesTheinstancetypedefinesthevirtualhardwaresupportinganAmazonEC2instance.Therearedozensofinstancetypesavailable,varyinginthefollowingdimensions:
VirtualCPUs(vCPUs)
Memory
Storage(sizeandtype)
Networkperformance
Instancetypesaregroupedintofamiliesbasedontheratioofthesevaluestoeachother.Forinstance,them4familyprovidesabalanceofcompute,memory,andnetworkresources,anditisagoodchoiceformanyapplications.Withineachfamilythereareseveralchoicesthatscaleuplinearlyinsize.Figure3.1showsthefourinstancesizesinthem4family.NotethattheratioofvCPUstomemoryisconstantasthesizesscalelinearly.Thehourlypriceforeachsizescaleslinearlyaswell.Forexample,anm4.xlargeinstancecoststwiceasmuchasthem4.largeinstance.
FIGURE3.1MemoryandvCPUsforthem4instancefamily
Differentinstancetypefamiliestilttheratiotoaccommodatedifferenttypesofworkloads,buttheyallexhibitthislinearscaleupbehaviorwithinthefamily.Table3.1listssomeofthefamiliesavailable.
TABLE3.1SampleInstanceTypeFamilies
Family
c4 Computeoptimized—Forworkloadsrequiringsignificantprocessing
r3 Memoryoptimized—Formemory-intensiveworkloads
i2 Storageoptimized—ForworkloadsrequiringhighamountsoffastSSDstorage
g2 GPU-basedinstances—Intendedforgraphicsandgeneral-purposeGPUcomputeworkloads
Inresponsetocustomerdemandandtotakeadvantageofnewprocessortechnology,AWSoccasionallyintroducesnewinstancefamilies.ChecktheAWSwebsiteforthecurrentlist.
Anothervariabletoconsiderwhenchoosinganinstancetypeisnetworkperformance.Formostinstancetypes,AWSpublishesarelativemeasureofnetworkperformance:low,moderate,orhigh.Someinstancetypesspecifyanetworkperformanceof10Gbps.The
networkperformanceincreaseswithinafamilyastheinstancetypegrows.
Forworkloadsrequiringgreaternetworkperformance,manyinstancetypessupportenhancednetworking.EnhancednetworkingreducestheimpactofvirtualizationonnetworkperformancebyenablingacapabilitycalledSingleRootI/OVirtualization(SR-IOV).ThisresultsinmorePacketsPerSecond(PPS),lowerlatency,andlessjitter.Atthetimeofthiswriting,thereareinstancetypesthatsupportenhancednetworkingintheC3,C4,D2,I2,M4,andR3families(consulttheAWSdocumentationforacurrentlist).Enablingenhancednetworkingonaninstanceinvolvesensuringthecorrectdriversareinstalledandmodifyinganinstanceattribute.EnhancednetworkingisavailableonlyforinstanceslaunchedinanAmazonVirtualPrivateCloud(AmazonVPC),whichisdiscussedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”
AmazonMachineImages(AMIs)TheAmazonMachineImage(AMI)definestheinitialsoftwarethatwillbeonaninstancewhenitislaunched.AnAMIdefineseveryaspectofthesoftwarestateatinstancelaunch,including:
TheOperatingSystem(OS)anditsconfiguration
Theinitialstateofanypatches
Applicationorsystemsoftware
AllAMIsarebasedonx86OSs,eitherLinuxorWindows.
TherearefoursourcesofAMIs:
PublishedbyAWS—AWSpublishesAMIswithversionsofmanydifferentOSs,bothLinuxandWindows.TheseincludemultipledistributionsofLinux(includingUbuntu,RedHat,andAmazon’sowndistribution)andWindows2008andWindows2012.LaunchinganinstancebasedononeoftheseAMIswillresultinthedefaultOSsettings,similartoinstallinganOSfromthestandardOSISOimage.AswithanyOSinstallation,youshouldimmediatelyapplyallappropriatepatchesuponlaunch.
TheAWSMarketplace—AWSMarketplaceisanonlinestorethathelpscustomersfind,buy,andimmediatelystartusingthesoftwareandservicesthatrunonAmazonEC2.ManyAWSpartnershavemadetheirsoftwareavailableintheAWSMarketplace.Thisprovidestwobenefits:thecustomerdoesnotneedtoinstallthesoftware,andthelicenseagreementisappropriateforthecloud.InstanceslaunchedfromanAWSMarketplaceAMIincurthestandardhourlycostoftheinstancetypeplusanadditionalper-hourchargefortheadditionalsoftware(someopen-sourceAWSMarketplacepackageshavenoadditionalsoftwarecharge).
GeneratedfromExistingInstances—AnAMIcanbecreatedfromanexistingAmazonEC2instance.ThisisaverycommonsourceofAMIs.CustomerslaunchaninstancefromapublishedAMI,andthentheinstanceisconfiguredtomeetallthecustomer’scorporatestandardsforupdates,management,security,andsoon.AnAMIisthengeneratedfromtheconfiguredinstanceandusedtogenerateallinstancesofthatOS.Inthisway,allnewinstancesfollowthecorporatestandardanditismoredifficultforindividualprojectstolaunchnon-conforminginstances.
UploadedVirtualServers—UsingAWSVMImport/Exportservice,customerscancreateimagesfromvariousvirtualizationformats,includingraw,VHD,VMDK,andOVA.ThecurrentlistofsupportedOSs(LinuxandWindows)canbefoundintheAWSdocumentation.ItisincumbentonthecustomerstoremaincompliantwiththelicensingtermsoftheirOSvendor.
SecurelyUsinganInstanceOncelaunched,instancescanbemanagedovertheInternet.AWShasseveralservicesandfeaturestoensurethatthismanagementcanbedonesimplyandsecurely.
AddressinganInstanceThereareseveralwaysthataninstancemaybeaddressedoverthewebuponcreation:
PublicDomainNameSystem(DNS)Name—Whenyoulaunchaninstance,AWScreatesaDNSnamethatcanbeusedtoaccesstheinstance.ThisDNSnameisgeneratedautomaticallyandcannotbespecifiedbythecustomer.ThenamecanbefoundintheDescriptiontaboftheAWSManagementConsoleorviatheCommandLineInterface(CLI)orApplicationProgrammingInterface(API).ThisDNSnamepersistsonlywhiletheinstanceisrunningandcannotbetransferredtoanotherinstance.
PublicIP—AlaunchedinstancemayalsohaveapublicIPaddressassigned.ThisIPaddressisassignedfromtheaddressesreservedbyAWSandcannotbespecified.ThisIPaddressisuniqueontheInternet,persistsonlywhiletheinstanceisrunning,andcannotbetransferredtoanotherinstance.
ElasticIP—AnelasticIPaddressisanaddressuniqueontheInternetthatyoureserveindependentlyandassociatewithanAmazonEC2instance.WhilesimilartoapublicIP,therearesomekeydifferences.ThisIPaddresspersistsuntilthecustomerreleasesitandisnottiedtothelifetimeorstateofanindividualinstance.Becauseitcanbetransferredtoareplacementinstanceintheeventofaninstancefailure,itisapublicaddressthatcanbesharedexternallywithoutcouplingclientstoaparticularinstance.
PrivateIPaddressesandElasticNetworkInterfaces(ENIs)areadditionalmethodsofaddressinginstancesthatareavailableinthecontextofanAmazonVPC.ThesearediscussedinChapter4.
InitialAccessAmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdataandanassociatedprivatekeytodecryptthedata.Thesetwokeystogetherarecalledakeypair.KeypairscanbecreatedthroughtheAWSManagementConsole,CLI,orAPI,orcustomerscanuploadtheirownkeypairs.AWSstoresthepublickey,andtheprivatekeyiskeptbythecustomer.Theprivatekeyisessentialtoacquiringsecureaccesstoaninstanceforthefirsttime.
Storeyourprivatekeyssecurely.WhenAmazonEC2launchesaLinuxinstance,thepublickeyisstoredinthe /.ssh/authorized_keysfileontheinstanceandaninitialuseriscreated.TheinitialusercanvarydependingontheOS.Forexample,theAmazonLinuxdistributioninitialuserisec2-user.Initialaccesstotheinstanceisobtainedbyusingtheec2-userandtheprivatekeytologinviaSSH.Atthispoint,youcanconfigureotherusersandenrollinadirectorysuchasLDAP.
WhenlaunchingaWindowsinstance,AmazonEC2generatesarandompasswordforthelocaladministratoraccountandencryptsthepasswordusingthepublickey.Initialaccesstotheinstanceisobtainedbydecryptingthepasswordwiththeprivatekey,eitherintheconsoleorthroughtheAPI.ThedecryptedpasswordcanbeusedtologintotheinstancewiththelocaladministratoraccountviaRDP.Atthispoint,youcancreateotherlocalusersand/orconnecttoanActiveDirectorydomain.
Itisabestpracticetochangetheinitiallocaladministratorpassword.
VirtualFirewallProtectionAWSallowsyoutocontroltrafficinandoutofyourinstancesthroughvirtualfirewallscalledsecuritygroups.Securitygroupsallowyoutocontroltrafficbasedonport,protocol,andsource/destination.SecuritygroupshavedifferentcapabilitiesdependingonwhethertheyareassociatedwithanAmazonVPCorAmazonEC2-Classic.Table3.2comparesthesedifferentcapabilities(AmazonVPCisdiscussedinChapter4).
TABLE3.2DifferentSecurityGroups
TypeofSecurityGroup Capabilities
EC2-ClassicSecurityGroups Controloutgoinginstancetraffic
VPCSecurityGroups Controloutgoingandincominginstancetraffic
Securitygroupsareassociatedwithinstanceswhentheyarelaunched.Everyinstancemusthaveatleastonesecuritygroupbutcanhavemore.
Asecuritygroupisdefaultdeny;thatis,itdoesnotallowanytrafficthatisnotexplicitlyallowedbyasecuritygrouprule.AruleisdefinedbythethreeattributesinTable3.3.Whenaninstanceisassociatedwithmultiplesecuritygroups,therulesareaggregatedandalltrafficallowedbyeachoftheindividualgroupsisallowed.Forexample,ifsecuritygroupAallowsRDPtrafficfrom72.58.0.0/16andsecuritygroupBallowsHTTPandHTTPStrafficfrom0.0.0.0/0andyourinstanceisassociatedwithbothgroups,thenboththeRDPandHTTP/Strafficwillbeallowedintoyourinstance.
TABLE3.3SecurityGroupRuleAttributes
Attribute Meaning
Port Theportnumberaffectedbythisrule.Forinstance,port80forHTTPtraffic.
Protocol Thecommunicationsstandardforthetrafficaffectedbythisrule.
Source/Destination Identifiestheotherendofthecommunication,thesourceforincomingtrafficrules,orthedestinationforoutgoingtrafficrules.Thesource/destinationcanbedefinedintwoways:CIDRblock—Anx.x.x.x/xstyledefinitionthatdefinesaspecificrangeofIPaddresses.Securitygroup—Includesanyinstancethatisassociatedwiththegivensecuritygroup.ThishelpspreventcouplingsecuritygroupruleswithspecificIPaddresses.
Asecuritygroupisastatefulfirewall;thatis,anoutgoingmessageisrememberedsothattheresponseisallowedthroughthesecuritygroupwithoutanexplicitinboundrulebeingrequired.
Securitygroupsareappliedattheinstancelevel,asopposedtoatraditionalon-premisesfirewallthatprotectsattheperimeter.Theeffectofthisisthatinsteadofhavingtobreachasingleperimetertoaccessalltheinstancesinyoursecuritygroup,anattackerwouldhavetobreachthesecuritygrouprepeatedlyforeachindividualinstance.
TheLifecycleofInstancesAmazonEC2hasseveralfeaturesandservicesthatfacilitatethemanagementofAmazonEC2instancesovertheirentirelifecycle.
LaunchingThereareseveraladditionalservicesthatareusefulwhenlaunchingnewAmazonEC2instances.
BootstrappingAgreatbenefitofthecloudistheabilitytoscriptvirtualhardwaremanagementinamannerthatisnotpossiblewithon-premiseshardware.Inordertorealizethevalueofthis,therehastobesomewaytoconfigureinstancesandinstallapplicationsprogrammaticallywhenaninstanceislaunched.Theprocessofprovidingcodetoberunonaninstanceatlaunchiscalledbootstrapping.
OneoftheparameterswhenaninstanceislaunchedisastringvaluecalledUserData.Thisstringispassedtotheoperatingsystemtobeexecutedaspartofthelaunchprocessthefirsttimetheinstanceisbooted.OnLinuxinstancesthiscanbeshellscript,andonWindowsinstancesthiscanbeabatchstylescriptoraPowerShellscript.Thescriptcanperformtaskssuchas:
ApplyingpatchesandupdatestotheOS
Enrollinginadirectoryservice
Installingapplicationsoftware
Copyingalongerscriptorprogramfromstoragetoberunontheinstance
InstallingCheforPuppetandassigningtheinstancearolesotheconfigurationmanagementsoftwarecanconfiguretheinstance
UserDataisstoredwiththeinstanceandisnotencrypted,soitisimportanttonotincludeanysecretssuchaspasswordsorkeysintheUserData.
VMImport/ExportInadditiontoimportingvirtualinstancesasAMIs,VMImport/ExportenablesyoutoeasilyimportVirtualMachines(VMs)fromyourexistingenvironmentasanAmazonEC2instanceandexportthembacktoyouron-premisesenvironment.YoucanonlyexportpreviouslyimportedAmazonEC2instances.InstanceslaunchedwithinAWSfromAMIscannotbeexported.
InstanceMetadataInstancemetadataisdataaboutyourinstancethatyoucanusetoconfigureormanagetherunninginstance.ThisisuniqueinthatitisamechanismtoobtainAWSpropertiesoftheinstancefromwithintheOSwithoutmakingacalltotheAWSAPI.AnHTTPcalltohttp://169.254.169.254/latest/meta-data/willreturnthetopnodeoftheinstancemetadatatree.Instancemetadataincludesawidevarietyofattributes,including:
Theassociatedsecuritygroups
TheinstanceID
Theinstancetype
TheAMIusedtolaunchtheinstance
Thisonlybeginstoscratchthesurfaceoftheinformationavailableinthemetadata.ConsulttheAWSdocumentationforafulllist.
ManagingInstancesWhenthenumberofinstancesinyouraccountstartstoclimb,itcanbecomedifficulttokeeptrackofthem.TagscanhelpyoumanagenotjustyourAmazonEC2instances,butalsomanyofyourAWSCloudservices.Tagsarekey/valuepairsyoucanassociatewithyourinstanceorotherservice.Tagscanbeusedtoidentifyattributesofaninstancelikeproject,environment(dev,test,andsoon),billabledepartment,andsoforth.Youcanapplyupto10tagsperinstance.Table3.4showssometagsuggestions.
TABLE3.4SampleTags
Key Value
Project TimeEntry
Environment Production
BillingCode 4004
MonitoringInstancesAWSoffersaservicecalledAmazonCloudWatchthatprovidesmonitoringandalertingfor
AmazonEC2instances,andalsootherAWSinfrastructure.AmazonCloudWatchisdiscussedindetailinChapter5,“ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling.”
ModifyinganInstanceThereareseveralaspectsofaninstancethatcanbemodifiedafterlaunch.
InstanceTypeTheabilitytochangetheinstancetypeofaninstancecontributesgreatlytotheagilityofrunningworkloadsinthecloud.Insteadofcommittingtoacertainhardwareconfigurationmonthsbeforeaworkloadislaunched,theworkloadcanbelaunchedusingabestestimatefortheinstancetype.Ifthecomputeneedsprovetobehigherorlowerthanexpected,theinstancescanbechangedtoadifferentsizemoreappropriatetotheworkload.
InstancescanberesizedusingtheAWSManagementConsole,CLI,orAPI.Toresizeaninstance,setthestatetoStopped.Choosethe“ChangeInstanceType”functioninthetoolofyourchoice(theinstancetypeislistedasanInstanceSettingintheconsoleandanInstanceAttributeintheCLI)andselectthedesiredinstancetype.Restarttheinstanceandtheprocessiscomplete.
SecurityGroupsIfaninstanceisrunninginanAmazonVPC(discussedinChapter4),youcanchangewhichsecuritygroupsareassociatedwithaninstancewhiletheinstanceisrunning.ForinstancesoutsideofanAmazonVPC(calledEC2-Classic),theassociationofthesecuritygroupscannotbechangedafterlaunch.
TerminationProtectionWhenanAmazonEC2instanceisnolongerneeded,thestatecanbesettoTerminatedandtheinstancewillbeshutdownandremovedfromtheAWSinfrastructure.InordertopreventterminationviatheAWSManagementConsole,CLI,orAPI,terminationprotectioncanbeenabledforaninstance.Whileenabled,callstoterminatetheinstancewillfailuntilterminationprotectionisdisabled.Thishelpstopreventaccidentalterminationthroughhumanerror.
NotethatthisjustprotectsfromterminationcallsfromtheAWSManagementConsole,CLI,orAPI.ItdoesnotpreventterminationtriggeredbyanOSshutdowncommand,terminationfromanAutoScalinggroup(discussedinChapter5),orterminationofaSpotInstanceduetoSpotpricechanges(discussedinthenextsection).
OptionsThereareseveraladditionaloptionsavailableinAmazonEC2toimprovecostoptimization,security,andperformancethatareimportanttoknowfortheexam.
PricingOptionsYouarechargedforAmazonEC2instancesforeachhourthattheyareinarunningstate,buttheamountyouarechargedperhourcanvarybasedonthreepricingoptions:On-DemandInstances,ReservedInstances,andSpotInstances.
On-DemandInstancesThepriceperhourforeachinstancetypepublishedontheAWSwebsiterepresentsthepriceforOn-DemandInstances.Thisisthemostflexiblepricingoption,asitrequiresnoup-frontcommitment,andthecustomerhascontroloverwhenthe
instanceislaunchedandwhenitisterminated.Itistheleastcosteffectiveofthethreepricingoptionspercomputehour,butitsflexibilityallowscustomerstosavebyprovisioningavariablelevelofcomputeforunpredictableworkloads.
ReservedInstancesTheReservedInstancepricingoptionenablescustomerstomakecapacityreservationsforpredictableworkloads.ByusingReservedInstancesfortheseworkloads,customerscansaveupto75percentovertheon-demandhourlyrate.Whenpurchasingareservation,thecustomerspecifiestheinstancetypeandAvailabilityZoneforthatReservedInstanceandachievesalowereffectivehourlypriceforthatinstanceforthedurationofthereservation.AnadditionalbenefitisthatcapacityintheAWSdatacentersisreservedforthatcustomer.Therearetwofactorsthatdeterminethecostofthereservation:thetermcommitmentandthepaymentoption.
Thetermcommitmentisthedurationofthereservationandcanbeeitheroneorthreeyears.Thelongerthecommitment,thebiggerthediscount.
TherearethreedifferentpaymentoptionsforReservedInstances:
AllUpfront—Payfortheentirereservationupfront.Thereisnomonthlychargeforthecustomerduringtheterm.
PartialUpfront—Payaportionofthereservationchargeupfrontandtherestinmonthlyinstallmentsforthedurationoftheterm.
NoUpfront—Paytheentirereservationchargeinmonthlyinstallmentsforthedurationoftheterm.
Theamountofthediscountisgreaterthemorethecustomerpaysupfront.
Forexample,let’slookattheeffectofanallupfront,three-yearreservationontheeffectivehourlycostofanm4.2xlargeinstance.Thecostofrunningoneinstancecontinuouslyforthreeyears(or26,280hours)atbothpricingoptionsisshowninTable3.5.
TABLE3.5ReservedInstancePricingExample
PricingOption EffectiveHourlyCost TotalThree-YearCost
On-Demand $0.479/hour $0.479/hour*26280hours=$12588.12
Three-YearAllUpfrontReservation
$4694/26280hours=$0.1786/hour
$4694
Savings 63%
Thisexampleusesthepublishedpricesatthetimeofthiswriting.AWShasloweredpricesmanytimestodate,sochecktheAWSwebsiteforcurrentpricinginformation.
Whenyourcomputingneedschange,youcanmodifyyourReservedInstancesandcontinuetobenefitfromyourcapacityreservation.ModificationdoesnotchangetheremainingtermofyourReservedInstances;theirenddatesremainthesame.Thereisnofee,andyoudonot
receiveanynewbillsorinvoices.Modificationisseparatefrompurchasinganddoesnotaffecthowyouuse,purchase,orsellReservedInstances.Youcanmodifyyourwholereservation,orjustasubset,inoneormoreofthefollowingways:
SwitchAvailabilityZoneswithinthesameregion.
ChangebetweenEC2-VPCandEC2-Classic.
Changetheinstancetypewithinthesameinstancefamily(Linuxinstancesonly).
SpotInstancesForworkloadsthatarenottimecriticalandaretolerantofinterruption,SpotInstancesofferthegreatestdiscount.WithSpotInstances,customersspecifythepricetheyarewillingtopayforacertaininstancetype.Whenthecustomer’sbidpriceisabovethecurrentSpotprice,thecustomerwillreceivetherequestedinstance(s).TheseinstanceswilloperatelikeallotherAmazonEC2instances,andthecustomerwillonlypaytheSpotpriceforthehoursthatinstance(s)run.Theinstanceswillrununtil:
Thecustomerterminatesthem.
TheSpotpricegoesabovethecustomer’sbidprice.
ThereisnotenoughunusedcapacitytomeetthedemandforSpotInstances.
IfAmazonEC2needstoterminateaSpotInstance,theinstancewillreceiveaterminationnoticeprovidingatwo-minutewarningpriortoAmazonEC2terminatingtheinstance.
Becauseofthepossibilityofinterruption,SpotInstancesshouldonlybeusedforworkloadstolerantofinterruption.Thiscouldincludeanalytics,financialmodeling,bigdata,mediaencoding,scientificcomputing,andtesting.
ArchitectureswithDifferentPricingModelsFortheexam,it’simportanttoknowhowtotakeadvantageofthedifferentpricingmodelstocreateacost-efficientarchitecture.Suchanarchitecturemayincludedifferentpricingmodelswithinthesameworkload.Forinstance,awebsitethataverages5,000visitsaday,butrampsupto20,000visitsadayduringperiodicpeaks,maypurchasetwoReservedInstancestohandletheaveragetraffic,butdependonOn-DemandInstancestofulfillcomputeneedsduringthepeaktimes.Figure3.2showssuchanarchitecture.
FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances
TenancyOptionsThereareseveraltenancyoptionsforAmazonEC2instancesthatcanhelpcustomersachievesecurityandcompliancegoals.
SharedTenancySharedtenancyisthedefaulttenancymodelforallAmazonEC2instances,regardlessofinstancetype,pricingmodel,andsoforth.Sharedtenancymeansthatasinglehostmachinemayhouseinstancesfromdifferentcustomers.AsAWSdoesnotuseoverprovisioningandfullyisolatesinstancesfromotherinstancesonthesamehost,thisisasecuretenancymodel.
DedicatedInstancesDedicatedInstancesrunonhardwarethat’sdedicatedtoasinglecustomer.AsacustomerrunsmoreDedicatedInstances,moreunderlyinghardwaremaybededicatedtotheiraccount.Otherinstancesintheaccount(thosenotdesignatedasdedicated)willrunonsharedtenancyandwillbeisolatedatthehardwarelevelfromtheDedicatedInstancesintheaccount.
DedicatedHostAnAmazonEC2DedicatedHostisaphysicalserverwithAmazonEC2instancecapacityfullydedicatedtoasinglecustomer’suse.DedicatedHostscanhelpyouaddresslicensingrequirementsandreducecostsbyallowingyoutouseyourexistingserver-boundsoftwarelicenses.Thecustomerhascompletecontroloverwhichspecifichostrunsaninstanceatlaunch.ThisdiffersfromDedicatedInstancesinthataDedicatedInstancecanlaunchonanyhardwarethathasbeendedicatedtotheaccount.
PlacementGroupsAplacementgroupisalogicalgroupingofinstanceswithinasingleAvailabilityZone.Placementgroupsenableapplicationstoparticipateinalow-latency,10Gbpsnetwork.Placementgroupsarerecommendedforapplicationsthatbenefitfromlownetworklatency,highnetworkthroughput,orboth.Rememberthatthisrepresentsnetworkconnectivitybetweeninstances.Tofullyusethisnetworkperformanceforyourplacementgroup,chooseaninstancetypethatsupportsenhancednetworkingand10Gbpsnetworkperformance.
InstanceStoresAninstancestore(sometimesreferredtoasephemeralstorage)providestemporaryblock-levelstorageforyourinstance.Thisstorageislocatedondisksthatarephysicallyattachedtothehostcomputer.Aninstancestoreisidealfortemporarystorageofinformationthatchangesfrequently,suchasbuffers,caches,scratchdata,andothertemporarycontent,orfordatathatisreplicatedacrossafleetofinstances,suchasaload-balancedpoolofwebservers.
ThesizeandtypeofinstancestoresavailablewithanAmazonEC2instancedependontheinstancetype.Atthiswriting,storageavailablewithvariousinstancetypesrangesfromnoinstancestoresupto242TBinstancestores.Theinstancetypealsodeterminesthetypeofhardwarefortheinstancestorevolumes.WhilesomeprovideHardDiskDrive(HDD)instancestores,otherinstancetypesuseSolidStateDrives(SSDs)todeliververyhighrandomI/Operformance.
InstancestoresareincludedinthecostofanAmazonEC2instance,sotheyareaverycost-effectivesolutionforappropriateworkloads.Thekeyaspectofinstancestoresisthattheyaretemporary.Dataintheinstancestoreislostwhen:
Theunderlyingdiskdrivefails.
Theinstancestops(thedatawillpersistifaninstancereboots).
Theinstanceterminates.
Therefore,donotrelyoninstancestoresforvaluable,long-termdata.Instead,buildadegreeofredundancyviaRAIDoruseafilesystemthatsupportsredundancyandfaulttolerancesuchasHadoop’sHDFS.BackupthedatatomoredurabledatastoragesolutionssuchasAmazonSimpleStorageService(AmazonS3)orAmazonEBSoftenenoughtomeetrecoverypointobjectives.
AmazonElasticBlockStore(AmazonEBS)Whileinstancestoresareaneconomicalwaytofulfillappropriateworkloads,theirlimitedpersistencemakesthemill-suitedformanyotherworkloads.Forworkloadsrequiringmoredurableblockstorage,AmazonprovidesAmazonEBS.
ElasticBlockStoreBasicsAmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectyoufromcomponentfailure,offeringhighavailabilityanddurability.AmazonEBSvolumesareavailableinavarietyoftypesthatdifferinperformancecharacteristicsandprice.MultipleAmazonEBSvolumescanbeattachedtoasingleAmazonEC2instance,althoughavolumecanonlybeattachedtoasingleinstanceatatime.
TypesofAmazonEBSVolumesAmazonEBSvolumesareavailableinseveraldifferenttypes.Typesvaryinareassuchasunderlyinghardware,performance,andcost.Itisimportanttoknowthepropertiesofthedifferenttypessoyoucanspecifythemostcost-efficienttypethatmeetsaworkload’sperformancedemandsontheexam.
MagneticVolumesMagneticvolumeshavethelowestperformancecharacteristicsofallAmazonEBSvolumetypes.Assuch,theycostthelowestpergigabyte.Theyareanexcellent,cost-effectivesolutionforappropriateworkloads.
AmagneticAmazonEBSvolumecanrangeinsizefrom1GBto1TBandwillaverage100IOPS,buthastheabilitytobursttohundredsofIOPS.Theyarebestsuitedfor:
Workloadswheredataisaccessedinfrequently
Sequentialreads
Situationswherelow-coststorageisarequirement
Magneticvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.
General-PurposeSSDGeneral-purposeSSDvolumesoffercost-effectivestoragethatisidealforabroadrangeofworkloads.Theydeliverstrongperformanceatamoderatepricepointthatissuitableforawiderangeofworkloads.
Ageneral-purposeSSDvolumecanrangeinsizefrom1GBto16TBandprovidesabaselineperformanceofthreeIOPSpergigabyteprovisioned,cappingat10,000IOPS.Forinstance,ifyouprovisiona1TBvolume,youcanexpectabaselineperformanceof3,000IOPS.A5TBvolumewillnotprovidea15,000IOPSbaseline,asitwouldhitthecapat10,000IOPS.
General-purposeSSDvolumesunder1TBalsofeaturetheabilitytobursttoupto3,000
IOPSforextendedperiodsoftime.Forinstance,ifyouhavea500GBvolumeyoucanexpectabaselineof1,500IOPS.WheneveryouarenotusingtheseIOPS,theyareaccumulatedasI/Ocredits.Whenyourvolumethenhasheavytraffic,itwillusetheI/Ocreditsatarateofupto3,000IOPSuntiltheyaredepleted.Atthatpoint,yourperformancerevertsto1,500IOPS.At1TB,thebaselineperformanceofthevolumeisalreadyat3,000IOPS,soburstingbehaviordoesnotapply.
General-purposeSSDvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.Theyaresuitedforawiderangeofworkloadswheretheveryhighestdiskperformanceisnotcritical,suchas:
Systembootvolumes
Small-tomedium-sizeddatabases
Developmentandtestenvironments
ProvisionedIOPSSSDProvisionedIOPSSSDvolumesaredesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloadsthataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.WhiletheyarethemostexpensiveAmazonEBSvolumetypepergigabyte,theyprovidethehighestperformanceofanyAmazonEBSvolumetypeinapredictablemanner.
AProvisionedIOPSSSDvolumecanrangeinsizefrom4GBto16TB.WhenyouprovisionaProvisionedIOPSSSDvolume,youspecifynotjustthesize,butalsothedesirednumberofIOPS,uptothelowerofthemaximumof30timesthenumberofGBofthevolume,or20,000IOPS.YoucanstripemultiplevolumestogetherinaRAID0configurationforlargersizeandgreaterperformance.AmazonEBSdeliverswithin10percentoftheprovisionedIOPSperformance99.9percentofthetimeoveragivenyear.
PricingisbasedonthesizeofthevolumeandtheamountofIOPSreserved.Thecostpergigabyteisslightlymorethanthatofgeneral-purposeSSDvolumesandisappliedbasedonthesizeofthevolume,nottheamountofthevolumeusedtostoredata.AnadditionalmonthlyfeeisappliedbasedonthenumberofIOPSprovisioned,whethertheyareconsumedornot.
ProvisionedIOPSSSDvolumesprovidepredictable,highperformanceandarewellsuitedfor:
CriticalbusinessapplicationsthatrequiresustainedIOPSperformance
Largedatabaseworkloads
Table3.6comparestheseAmazonEBSvolumetypes.
TABLE3.6EBSVolumeTypeComparison
Characteristic General-PurposeSSD ProvisionedIOPSSSD Magnetic
Usecases Systembootvolumes
Virtualdesktops
Small-to-mediumsizeddatabases
Developmentandtestenvironments
CriticalbusinessapplicationsthatrequiresustainedIOPSperformanceormorethan10,000IOPSor160MBofthroughputpervolume
Largedatabaseworkloads
Coldworkloadswheredataisinfrequentlyaccessed
Scenarioswheretheloweststoragecostisimportant
Volumesize 1GiB–16TiB 4GiB–16TiB 1GiB–1TiB
Maximumthroughput
160MB 320MB 40–90MB
IOPSperformance
Baselineperformanceof3IOPS/GiB(upto10,000IOPS)withtheabilitytoburstto3,000IOPSforvolumesunder1,000GiB
Consistentlyperformsatprovisionedlevel,upto20,000IOPSmaximum
Averages100IOPS,withtheabilitytobursttohundredsofIOPS
Atthetimeofthiswriting,AWSreleasedtwonewHDDvolumetypes:Throughput-OptimizedHDDandColdHDD.Overtime,itisexpectedthatthesenewtypeswilleclipsethecurrentmagneticvolumetype,fulfillingtheneedsofanyworkloadrequiringHDDperformance.
Throughput-OptimizedHDDvolumesarelow-costHDDvolumesdesignedforfrequent-access,throughput-intensiveworkloadssuchasbigdata,datawarehouses,andlogprocessing.Volumescanbeupto16TBwithamaximumIOPSof500andmaximumthroughputof500MB/s.Thesevolumesaresignificantlylessexpensivethangeneral-purposeSSDvolumes.
ColdHDDvolumesaredesignedforlessfrequentlyaccessedworkloads,suchascolderdatarequiringfewerscansperday.Volumescanbeupto16TBwithamaximumIOPSof250andmaximumthroughputof250MB/s.ThesevolumesaresignificantlylessexpensivethanThroughput-OptimizedHDDvolumes.
AmazonEBS-OptimizedInstancesWhenusinganyvolumetypeotherthanmagneticandAmazonEBSI/Oisofconsequence,itisimportanttouseAmazonEBS-optimizedinstancestoensurethattheAmazonEC2instanceispreparedtotakeadvantageoftheI/OoftheAmazonEBSvolume.AnAmazon
EBS-optimizedinstanceusesanoptimizedconfigurationstackandprovidesadditional,dedicatedcapacityforAmazonEBSI/O.ThisoptimizationprovidesthebestperformanceforyourAmazonEBSvolumesbyminimizingcontentionbetweenAmazonEBSI/Oandothertrafficfromyourinstance.WhenyouselectAmazonEBS-optimizedforaninstance,youpayanadditionalhourlychargeforthatinstance.ChecktheAWSdocumentationtoconfirmwhichinstancetypesareavailableasAmazonEBS-optimizedinstance.
ProtectingDataOverthelifecycleofanAmazonEBSvolume,thereareseveralpracticesandservicesthatyoushouldknowaboutwhentakingtheexam.
Backup/Recovery(Snapshots)YoucanbackupthedataonyourAmazonEBSvolumes,regardlessofvolumetype,bytakingpoint-in-timesnapshots.Snapshotsareincrementalbackups,whichmeansthatonlytheblocksonthedevicethathavechangedsinceyourmostrecentsnapshotaresaved.
TakingSnapshotsYoucantakesnapshotsinmanyways:
ThroughtheAWSManagementConsole
ThroughtheCLI
ThroughtheAPI
Bysettingupascheduleofregularsnapshots
DataforthesnapshotisstoredusingAmazonS3technology.Theactionoftakingasnapshotisfree.Youpayonlythestoragecostsforthesnapshotdata.
Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.
It’simportanttoknowthatwhilesnapshotsarestoredusingAmazonS3technology,theyarestoredinAWS-controlledstorageandnotinyouraccount’sAmazonS3buckets.ThismeansyoucannotmanipulatethemlikeotherAmazonS3objects.Rather,youmustusetheAmazonEBSsnapshotfeaturestomanagethem.Snapshotsareconstrainedtotheregioninwhichtheyarecreated,meaningyoucanusethemtocreatenewvolumesonlyinthesameregion.Ifyouneedtorestoreasnapshotinadifferentregion,youcancopyasnapshottoanotherregion.
CreatingaVolumefromaSnapshotTouseasnapshot,youcreateanewAmazonEBSvolumefromthesnapshot.Whenyoudothis,thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.Becauseofthis,itisabestpracticetoinitializeavolumecreatedfromasnapshotbyaccessingalltheblocksinthevolume.
SnapshotscanalsobeusedtoincreasethesizeofanAmazonEBSvolume.ToincreasethesizeofanAmazonEBSvolume,takeasnapshotofthevolume,thencreateanewvolumeofthedesiredsizefromthesnapshot.Replacetheoriginalvolumewiththenewvolume.
RecoveringVolumesBecauseAmazonEBSvolumespersistbeyondthelifetimeofaninstance,itispossibletorecoverdataifaninstancefails.IfanAmazonEBS-backedinstancefailsandthereisdataonthebootdrive,itisrelativelystraightforwardtodetachthevolumefromtheinstance.UnlesstheDeleteOnTerminationflagforthevolumehasbeensettofalse,thevolumeshouldbedetachedbeforetheinstanceisterminated.Thevolumecanthenbeattachedasadatavolumetoanotherinstanceandthedatareadandrecovered.
EncryptionOptionsManyworkloadshaverequirementsthatdatabeencryptedatrest,eitherbecauseofcomplianceregulationsorinternalcorporatestandards.AmazonEBSoffersnativeencryptiononallvolumetypes.
WhenyoulaunchanencryptedAmazonEBSvolume,AmazonusestheAWSKeyManagementService(KMS)tohandlekeymanagement.Anewmasterkeywillbecreatedunlessyouselectamasterkeythatyoucreatedseparatelyintheservice.Yourdataandassociatedkeysareencryptedusingtheindustry-standardAES-256algorithm.TheencryptionoccursontheserversthathostAmazonEC2instances,sothedataisactuallyencryptedintransitbetweenthehostandthestoragemediaandalsoonthemedia.(ConsulttheAWSdocumentationforalistofinstancetypesthatsupportAmazonEBSencryption.)Encryptionistransparent,soalldataaccessisthesameasunencryptedvolumes,andyoucanexpectthesameIOPSperformanceonencryptedvolumesasyouwouldwithunencryptedvolumes,withaminimaleffectonlatency.Snapshotsthataretakenfromencryptedvolumesareautomaticallyencrypted,asarevolumesthatarecreatedfromencryptedsnapshots.
SummaryComputeistheamountofcomputationalpowerrequiredtofulfillyourworkload.AmazonEC2istheprimaryserviceforprovidingcomputetocustomers.
Theinstancetypedefinesthevirtualhardwaresupportingtheinstance.AvailableinstancetypesvaryinvCPUs,memory,storage,andnetworkperformancetoaddressnearlyanyworkload.
AnAMIdefinestheinitialsoftwarestateoftheinstance,bothOSandapplications.TherearefoursourcesofAMIs:AWSpublishedgenericOSs,partner-publishedAMIsintheAWSMarketplacewithsoftwarepackagespreinstalled,customer-generatedAMIsfromexistingAmazonEC2instances,anduploadedAMIsfromvirtualservers.
InstancescanbeaddressedbypublicDNSname,publicIPaddress,orelasticIPaddress.ToaccessanewlylaunchedLinuxinstance,usetheprivatehalfofthekeypairtoconnecttotheinstanceviaSSH.ToaccessanewlycreatedWindowsinstance,usetheprivatehalfofthekeypairtodecrypttherandomlyinitializedlocaladministratorpassword.
Networktrafficinandoutofaninstancecanbecontrolledbyavirtualfirewallcalledasecuritygroup.Asecuritygroupallowsrulesthatblocktrafficbasedondirection,port,protocol,andsource/destinationaddress.
BootstrappingallowsyoutorunascripttoinitializeyourinstancewithOSconfigurationsandapplications.Thisfeatureallowsinstancestoconfigurethemselvesuponlaunch.Onceaninstanceislaunched,youcanchangeitsinstancetypeor,forAmazonVPCinstances,thesecuritygroupswithwhichitisassociated.
ThethreepricingoptionsforinstancesareOn-Demand,ReservedInstance,andSpot.On-Demandhasthehighestperhourcost,requiringnoup-frontcommitmentandgivingyoucompletecontroloverthelifetimeoftheinstance.ReservedInstancesrequireacommitmentandprovideareducedoverallcostoverthelifetimeofthereservation.SpotInstancesareidlecomputecapacitythatAWSmakesavailablebasedonbidpricesfromcustomers.Thesavingsontheper-hourcostcanbesignificant,butinstancescanbeshutdownwhenthebidpriceexceedsthecustomer’scurrentbid.
Instancestoresareblockstorageincludedwiththehourlycostoftheinstance.Theamountandtypeofstorageavailablevarieswiththeinstancetype.Instancestoresterminatewhentheassociatedinstanceisstopped,sotheyshouldonlybeusedfortemporarydataorinarchitecturesprovidingredundancysuchasHadoop’sHDFS.
AmazonEBSprovidesdurableblockstorageinseveraltypes.Magnetichasthelowestcostpergigabyteanddeliversmodestperformance.General-purposeSSDiscost-effectivestoragethatcanprovideupto10,000IOPS.ProvisionedIOPSSSDhasthehighestcostpergigabyteandiswellsuitedforI/O-intensiveworkloadssensitivetostorageperformance.SnapshotsareincrementalbackupsofAmazonEBSvolumesstoredinAmazonS3.AmazonEBSvolumescanbeencrypted.
ExamEssentialsKnowthebasicsoflaunchinganAmazonec2instance.Tolaunchaninstance,youmustspecifyanAMI,whichdefinesthesoftwareontheinstanceatlaunch,andaninstancetype,whichdefinesthevirtualhardwaresupportingtheinstance(memory,vCPUs,andsoon).
KnowwhatarchitecturesaresuitedforwhatAmazonec2pricingoptions.SpotInstancesarebestsuitedforworkloadsthatcanaccommodateinterruption.ReservedInstancesarebestforconsistent,long-termcomputeneeds.On-DemandInstancesprovideflexiblecomputetorespondtoscalingneeds.
Knowhowtocombinemultiplepricingoptionsthatresultincostoptimizationandscalability.On-DemandInstancescanbeusedtoscaleupawebapplicationrunningonReservedInstancesinresponsetoatemporarytrafficspike.ForaworkloadwithseveralReservedInstancesreadingfromaqueue,it’spossibletouseSpotInstancestoalleviateheavytrafficinacost-effectiveway.Thesearejusttwoofcountlessexampleswhereaworkloadmayusedifferentpricingoptions.
Knowthebenefitsofenhancednetworking.EnhancednetworkingenablesyoutogetsignificantlyhigherPPSperformance,lowernetworkjitter,andlowerlatencies.
Knowthecapabilitiesofvmimport/export.VMImport/ExportallowsyoutoimportexistingVMstoAWSasAmazonEC2instancesorAMIs.AmazonEC2instancesthatwereimportedthroughVMImport/Exportcanalsobeexportedbacktoavirtualenvironment.
Knowthemethodsforaccessinganinstanceovertheinternet.YoucanaccessanAmazonEC2instanceoverthewebviapublicIPaddress,elasticIPaddress,orpublicDNSname.ThereareadditionalwaystoaccessaninstancewithinanAmazonVPC,includingprivateIPaddressesandENIs.
Knowthelifetimeofaninstancestore.Dataonaninstancestoreislostwhentheinstanceisstoppedorterminated.InstancestoredatasurvivesanOSreboot.
KnowthepropertiesoftheAmazonEC2pricingoptions.On-DemandInstancesrequirenoup-frontcommitment,canbelaunchedanytime,andarebilledbythehour.ReservedInstancesrequireanup-frontcommitmentandvaryincostdependingonwhethertheyarepaidallupfront,partiallyupfront,ornotupfront.SpotInstancesarelaunchedwhenyourbidpriceexceedsthecurrentspotprice.SpotInstanceswillrununtilthespotpriceexceedsyourbidprice,inwhichcasetheinstancewillgetatwo-minutewarningandterminate.
Knowwhatdeterminesnetworkperformance.Everyinstancetypeisratedforlow,moderate,high,or10Gbpsnetworkperformance,withlargerinstancetypesgenerallyhavinghigherratings.Additionally,someinstancetypesofferenhancednetworking,whichprovidesadditionalimprovementinnetworkperformance.
Knowwhatinstancemetadataisandhowit’sobtained.MetadataisinformationaboutanAmazonEC2instance,suchasinstanceID,instancetype,andsecuritygroups,thatisavailablefromwithintheinstance.ItcanbeobtainedthroughanHTTPcalltoaspecificIPaddress.
Knowhowsecuritygroupsprotectinstances.SecuritygroupsarevirtualfirewallscontrollingtrafficinandoutofyourAmazonEC2instances.Theyaredenybydefault,andyoucanallowtrafficbyaddingrulesspecifyingtrafficdirection,port,protocol,anddestinationaddress(viaClasslessInter-DomainRouting[CIDR]block).Theyareappliedattheinstancelevel,meaningthattrafficbetweeninstancesinthesamesecuritygroupmustadheretotherulesofthatsecuritygroup.Theyarestateful,meaningthatanoutgoingrulewillallowtheresponsewithoutacorrelatingincomingrule.
Knowhowtointerprettheeffectofsecuritygroups.Whenaninstanceisamemberofmultiplesecuritygroups,theeffectisaunionofalltherulesinallthegroups.
KnowthedifferentAmazonebsvolumetypes,theircharacteristics,andtheirappropriateworkloads.Magneticvolumesprovideanaverageperformanceof100IOPSandcanbeprovisionedupto1TB.Theyaregoodforcoldandinfrequentlyaccesseddata.General-purposeSSDvolumesprovidethreeIOPS/GBupto10,000IOPS,withsmallervolumesabletoburst3,000IOPS.Theycanbeprovisionedupto16TBandareappropriatefordev/testenvironments,smalldatabases,andsoforth.ProvisionedIOPSSSDcanprovideupto20,000consistentIOPSforvolumesupto16TB.Theyarethebestchoiceforworkloadssuchaslargedatabasesexecutingmanytransactions.
KnowhowtoencryptanAmazonebsvolume.Anyvolumetypecanbeencryptedatlaunch.EncryptionisbasedonAWSKMSandistransparenttoapplicationsontheattachedinstances.
Understandtheconceptandprocessofsnapshots.Snapshotsprovideapoint-in-timebackupofanAmazonEBSvolumeandarestoredinAmazonS3.Subsequentsnapshotsareincremental—theyonlystoredeltas.Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.Snapshotsmaybecopiedbetweenregions.
KnowhowAmazonebs-optimizedinstancesaffectAmazonebsperformance.InadditiontotheIOPSthatcontroltheperformanceinandoutoftheAmazonEBSvolume,useAmazonEBS-optimizedinstancestoensureadditional,dedicatedcapacityforAmazonEBSI/O.
ExercisesForassistanceincompletingtheseexercises,refertotheseuserguides:
AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
concepts.html
AmazonEC2(Windows)—http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html
AmazonEBS—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
EXERCISE3.1
LaunchandConnecttoaLinuxInstanceInthisexercise,youwilllaunchanewLinuxinstance,loginwithSSH,andinstallanysecurityupdates.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.1.
7. CreateanewsecuritygroupcalledCertBook.
8. AddaruletoCertBookallowingSSHaccessfromtheIPaddressofyourworkstation(www.WhatsMyIP.orgisagoodwaytodetermineyourIPaddress).
9. Launchtheinstance.
10. Whenpromptedforakeypair,chooseakeypairyoualreadyhaveorcreateanewoneanddownloadtheprivateportion.
Amazongeneratesakeyname.pemfile,andyouwillneedakeyname.ppkfiletoconnecttotheinstanceviaSSH.Puttygen.exeisoneutilitythatwillcreatea.ppkfilefroma.pemfile.
11. SSHintotheinstanceusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.
12. Fromthecommand-lineprompt,runsudoyumupdate—security-y.
13. ClosetheSSHwindowandterminatetheinstance.
EXERCISE3.2
LaunchaWindowsInstancewithBootstrappingInthisexercise,youwilllaunchaWindowsinstanceandspecifyaverysimplebootstrapscript.Youwillthenconfirmthatthebootstrapscriptwasexecutedontheinstance.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. IntheAdvancedDetailssection,enterthefollowingtextasUserData:
<script>
mdc:\temp
</script>
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.2.
8. UsetheCertBooksecuritygroupfromExercise3.1.
9. Launchtheinstance.
10. UsethekeypairfromExercise3.1.
11. OntheConnectInstanceUI,decrypttheadministratorpasswordandthendownloadtheRDPfiletoattempttoconnecttotheinstance.YourattemptshouldfailbecausetheCertBooksecuritygroupdoesnotallowRDPaccess.
12. OpentheCertBooksecuritygroupandaddarulethatallowsRDPaccessfromyourIPaddress.
13. AttempttoaccesstheinstanceviaRDPagain.
14. OncetheRDPsessionisconnected,openWindowsExplorerandconfirmthatthec:\tempfolderhasbeencreated.
15. EndtheRDPsessionandterminatetheinstance.
EXERCISE3.3
ConfirmThatInstanceStoresAreLostWhenanInstanceIsStoppedInthisexercise,youwillobservethatthedataonanAmazonEC2instancestoreislostwhentheinstanceisstopped.
1. LaunchaninstanceintheAmazonManagementConsole.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethem3.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.3.
7. UsetheCertBooksecuritygroupasupdatedinExercise3.2.
8. Launchtheinstance.
9. UsethekeypairfromExercise3.1.
10. DecrypttheadministratorpasswordlogintotheinstanceviaRDP.
11. OncetheRDPsessionisconnected,openWindowsExplorer.
12. Createanewfoldernamedz:\temp.
13. LogoutoftheRDPsession.
14. Intheconsole,setthestateoftheinstancetoStopped.
15. Oncetheinstanceisstopped,startitagain.
16. LogbackintotheinstanceusingRDP.
17. OpenWindowsExplorerandconfirmthatthez:\tempfolderisgone.
18. EndtheRDPsessionandterminatetheinstance.
EXERCISE3.4
LaunchaSpotInstanceInthisexercise,youwillcreateaSpotInstance.
1. IntheAmazonEC2console,gototheSpotRequestpage.
2. Lookatthepricinghistoryform3.medium,especiallytherecentprice.
3. MakeanoteofthemostrecentpriceandAvailabilityZone.
4. LaunchaninstanceintheAmazonEC2console.
5. ChoosetheAmazonLinuxAMI.
6. Choosethet2.mediuminstancetype.
7. OntheConfigureInstancepage,requestaSpotInstance.
8. LaunchtheinstanceineithertheDefaultVPCorEC2-Classic.(NotetheDefaultVPCwilldefinetheAvailabilityZonefortheinstance.)
9. AssigntheinstanceapublicIPaddress.
10. RequestaSpotInstanceandenterabidafewcentsabovetherecordedSpotprice.
11. Finishlaunchingtheinstance.
12. GobacktotheSpotRequestpage.
Watchyourrequest.Ifyourbidwashighenough,youshouldseeitchangetoActiveandaninstanceIDappear.
13. FindtheinstanceontheinstancespageoftheAmazonEC2console.
NotetheLifecyclefieldintheDescriptionthatsaysSpot.
14. Oncetheinstanceisrunning,terminateit.
EXERCISE3.5
AccessMetadataInthisexercise,youwillaccesstheinstancemetadatafromtheOS.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.5.
7. UsetheCertBooksecuritygroup.
8. Launchtheinstance.
9. UsethekeypairfromExercise3.1.
10. ConnecttheinstanceviaSSHusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.
11. AttheLinuxcommandprompt,retrievealistoftheavailablemetadatabytyping:
curlhttp://169.254.169.254/latest/meta-data/
12. Toseeavalue,addthenametotheendoftheURL.Forexample,toseethesecuritygroups,type:
curlhttp://169.254.169.254/latest/meta-data/security-groups
13. Tryothervaluesaswell.Namesthatendwitha/indicatealongerlistofsub-values.
14. ClosetheSSHwindowandterminatetheinstance.
EXERCISE3.6
CreateanAmazonEBSVolumeandShowThatItRemainsAftertheInstanceIsTerminatedInthisexercise,youwillseehowanAmazonEBSvolumepersistsbeyondthelifeofaninstance.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddasecondAmazonEBSvolumeofsize50GB.NotethattheRootVolumeissettoDeleteonTermination.
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.6.
8. UsetheCertBooksecuritygroupfromearlierexercises.
9. Launchtheinstance.
10. FindthetwoAmazonEBSvolumesontheAmazonEBSconsole.NamethembothExercise3.6.
11. Terminatetheinstance.
Noticethatthebootdriveisdestroyed,buttheadditionalAmazonEBSvolumeremainsandnowsaysAvailable.DonotdeletetheAvailablevolume.
EXERCISE3.7
TakeaSnapshotandRestoreThisexerciseguidesyouthroughtakingasnapshotandrestoringitinthreedifferentways.
1. FindthevolumeyoucreatedinExercise3.6intheAmazonEBSconsole.
2. Takeasnapshotofthatvolume.NamethesnapshotExercise3.7.
3. Onthesnapshotconsole,waitforthesnapshottobecompleted.(Asthevolumewasempty,thisshouldbeveryquick.)
4. OnthesnapshotpageintheAWSManagementConsole,choosethenewsnapshotandselectCreateVolume.
5. Createthevolumewithallthedefaults.
6. LocatethesnapshotagainandagainchooseCreateVolume,settingthesizeofthenewvolumeto100GB(takingasnapshotandrestoringthesnapshottoanew,largervolumeishowyouaddresstheproblemofincreasingthesizeofanexistingvolume).LocatethesnapshotagainandchooseCopy.Copythesnapshottoanotherregion.MakethedescriptionExercise3.7.
7. Gototheotherregionandwaitforthesnapshottobecomeavailable.
8. Createavolumefromthesnapshotinthenewregion.ThisishowyoushareanAmazonEBSvolumebetweenregions;thatis,bytakingasnapshotandcopyingthesnapshot.
9. Deleteallfourvolumes.
EXERCISE3.8
LaunchanEncryptedVolumeInthisexercise,youwilllaunchanAmazonEC2instancewithanencryptedAmazonEBSvolumeandstoresomedataonittoconfirmthattheencryptionistransparenttotheinstanceitself.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethem3.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. Onthestoragepage,adda50GBencryptedAmazonEBSvolume.
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.8.
8. UsetheCertBooksecuritygroupasupdatedinExercise3.2.
9. Launchtheinstance.
10. ChoosethekeypairfromExercise3.1.
11. DecrypttheadministratorpasswordandlogintotheinstanceusingRDP.
12. OncetheRDPsessionisconnected,openNotepad.
13. TypesomerandominformationintoNotepad,saveitatd:\testfile.txt,andthencloseNotepad.
14. Findd:\testfile.txtinWindowsExplorerandopenitwithNotepad.ConfirmthatthedataisnotencryptedinNotepad.
15. Logout.
16. Terminatetheinstance.
EXERCISE3.9
DetachaBootDriveandReattachtoAnotherInstanceInthisexercise,youwillpracticeremovinganAmazonEBSvolumefromastoppeddriveandattachingtoanotherinstancetorecoverthedata.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Source.
7. UsetheCertBooksecuritygroupfromearlierexercises.
8. LaunchtheinstancewiththekeypairfromExercise3.1.
9. LaunchasecondinstanceintheAmazonEC2Console.
10. ChoosetheMicrosoftWindowsServer2012BaseAMI.
11. Choosethet2.mediuminstancetype.
12. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
13. AssigntheinstanceapublicIPaddress.
14. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Destination.
15. UsetheCertBooksecuritygroupfromearlierexercises.
16. LaunchtheinstancewiththekeypairyouusedinExercise3.1.
17. Oncebothinstancesarerunning,stopthefirstinstance(Source).MakeanoteoftheinstanceID.
18. GototheAmazonEBSpageintheAmazonEC2consoleandfindthevolumeattachedtotheSourceinstanceviatheinstanceID.Detachtheinstance.
19. WhenthevolumebecomesAvailable,attachtheinstancetothesecondinstance(Destination).
20. LogintotheDestinationinstanceviaRDPusingtheadministratoraccount.
21. Openacommandwindow(cmd.exe).
22. Atthecommandprompt,typethefollowingcommands:
C:\Users\Administrator>diskpart
DISKPART>selectdisk1
DISKPART>onlinedisk
DISKPART>exit
C:\Users\Administrator>dire:
ThevolumeremovedfromthestoppedsourcedrivecannowbereadastheE:driveonthedestinationinstance,soitsdatacanberetrieved.
23. Terminatealltheinstancesandensurethevolumesaredeletedintheprocess.
ReviewQuestions1. Yourwebapplicationneedsfourinstancestosupportsteadytrafficnearlyallofthetime.Onthelastdayofeachmonth,thetraffictriples.Whatisacost-effectivewaytohandlethistrafficpattern?
A. Run12ReservedInstancesallofthetime.
B. RunfourOn-DemandInstancesconstantly,thenaddeightmoreOn-DemandInstancesonthelastdayofeachmonth.
C. RunfourReservedInstancesconstantly,thenaddeightOn-DemandInstancesonthelastdayofeachmonth.
D. RunfourOn-DemandInstancesconstantly,thenaddeightReservedInstancesonthelastdayofeachmonth.
2. Yourorder-processingapplicationprocessesordersextractedfromaqueuewithtwoReservedInstancesprocessing10orders/minute.Ifanorderfailsduringprocessing,thenitisreturnedtothequeuewithoutpenalty.Duetoaweekendsale,thequeueshaveseveralhundredordersbackedup.Whilethebackupisnotcatastrophic,youwouldliketodrainitsothatcustomersgettheirconfirmationemailsfaster.Whatisacost-effectivewaytodrainthequeuefororders?
A. Createmorequeues.
B. DeployadditionalSpotInstancestoassistinprocessingtheorders.
C. DeployadditionalReservedInstancestoassistinprocessingtheorders.
D. DeployadditionalOn-DemandInstancestoassistinprocessingtheorders.
3. WhichofthefollowingmustbespecifiedwhenlaunchinganewAmazonElasticComputeCloud(AmazonEC2)Windowsinstance?(Choose2answers)
A. TheAmazonEC2instanceID
B. Passwordfortheadministratoraccount
C. AmazonEC2instancetype
D. AmazonMachineImage(AMI)
4. Youhavepurchasedanm3.xlargeLinuxReservedinstanceinus-east-1a.Inwhichwayscanyoumodifythisreservation?(Choose2answers)
A. Changeitintotwom3.largeinstances.
B. ChangeittoaWindowsinstance.
C. Moveittous-east-1b.
D. Changeittoanm4.xlarge.
5. Yourinstanceisassociatedwithtwosecuritygroups.ThefirstallowsRemoteDesktopProtocol(RDP)accessoverport3389fromClasslessInter-DomainRouting(CIDR)block72.14.0.0/16.ThesecondallowsHTTPaccessoverport80fromCIDRblock
0.0.0.0/0.Whattrafficcanreachyourinstance?
A. RDPandHTTPaccessfromCIDRblock0.0.0.0/0
B. Notrafficisallowed.
C. RDPandHTTPtrafficfrom72.14.0.0/16
D. RDPtrafficoverport3389from72.14.0.0/16andHTTPtrafficoverport80from0.0.00/0
6. Whichofthefollowingarefeaturesofenhancednetworking?(Choose3answers)
A. MorePacketsPerSecond(PPS)
B. Lowerlatency
C. Multiplenetworkinterfaces
D. BorderGatewayProtocol(BGP)routing
E. Lessjitter
7. YouarecreatingaHigh-PerformanceComputing(HPC)clusterandneedverylowlatencyandhighbandwidthbetweeninstances.Whatcombinationofthefollowingwillallowthis?(Choose3answers)
A. Useaninstancetypewith10Gbpsnetworkperformance.
B. Puttheinstancesinaplacementgroup.
C. UseDedicatedInstances.
D. Enableenhancednetworkingontheinstances.
E. UseReservedInstances.
8. WhichAmazonElasticComputeCloud(AmazonEC2)featureensuresthatyourinstanceswillnotshareaphysicalhostwithinstancesfromanyotherAWScustomer?
A. AmazonVirtualPrivateCloud(VPC)
B. Placementgroups
C. DedicatedInstances
D. ReservedInstances
9. Whichofthefollowingaretrueofinstancestores?(Choose2answers)
A. Automaticbackups
B. Dataislostwhentheinstancestops.
C. VeryhighIOPS
D. Chargeisbasedonthetotalamountofstorageprovisioned.
10. WhichofthefollowingarefeaturesofAmazonElasticBlockStore(AmazonEBS)?(Choose2answers)
A. DatastoredonAmazonEBSisautomaticallyreplicatedwithinanAvailabilityZone.
B. AmazonEBSdataisautomaticallybackeduptotape.
C. AmazonEBSvolumescanbeencryptedtransparentlytoworkloadsontheattachedinstance.
D. DataonanAmazonEBSvolumeislostwhentheattachedinstanceisstopped.
11. YouneedtotakeasnapshotofanAmazonElasticBlockStore(AmazonEBS)volume.Howlongwillthevolumebeunavailable?
A. Itdependsontheprovisionedsizeofthevolume.
B. Thevolumewillbeavailableimmediately.
C. Itdependsontheamountofdatastoredonthevolume.
D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.
12. YouarerestoringanAmazonElasticBlockStore(AmazonEBS)volumefromasnapshot.Howlongwillitbebeforethedataisavailable?
A. Itdependsontheprovisionedsizeofthevolume.
B. Thedatawillbeavailableimmediately.
C. Itdependsontheamountofdatastoredonthevolume.
D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.
13. Youhaveaworkloadthatrequires15,000consistentIOPSfordatathatmustbedurable.Whatcombinationofthefollowingstepsdoyouneed?(Choose2answers)
A. UseanAmazonElasticBlockStore(AmazonEBS)-optimizedinstance.
B. Useaninstancestore.
C. UseaProvisionedIOPSSSDvolume.
D. Useamagneticvolume.
14. Whichofthefollowingcanbeaccomplishedthroughbootstrapping?
A. Installthemostcurrentsecurityupdates.
B. Installthecurrentversionoftheapplication.
C. ConfigureOperatingSystem(OS)services.
D. Alloftheabove.
15. HowcanyouconnecttoanewLinuxinstanceusingSSH?
A. Decrypttherootpassword.
B. Usingacertificate
C. Usingtheprivatehalfoftheinstance’skeypair
D. UsingMulti-FactorAuthentication(MFA)
16. VMImport/Exportcanimportexistingvirtualmachinesas:(Choose2answers)
A. AmazonElasticBlockStore(AmazonEBS)volumes
B. AmazonElasticComputeCloud(AmazonEC2)instances
C. AmazonMachineImages(AMIs)
D. Securitygroups
17. WhichofthefollowingcanbeusedtoaddressanAmazonElasticComputeCloud(AmazonEC2)instanceovertheweb?(Choose2answers)
A. Windowsmachinename
B. PublicDNSname
C. AmazonEC2instanceID
D. ElasticIPaddress
18. UsingthecorrectlydecryptedAdministratorpasswordandRDP,youcannotlogintoaWindowsinstanceyoujustlaunched.Whichofthefollowingisapossiblereason?
A. ThereisnosecuritygrouprulethatallowsRDPaccessoverport3389fromyourIPaddress.
B. TheinstanceisaReservedInstance.
C. Theinstanceisnotusingenhancednetworking.
D. TheinstanceisnotanAmazonEBS-optimizedinstance.
19. Youhaveaworkloadthatrequires1TBofdurableblockstorageat1,500IOPSduringnormaluse.EverynightthereisanExtract,Transform,Load(ETL)taskthatrequires3,000IOPSfor15minutes.Whatisthemostappropriatevolumetypeforthisworkload?
A. UseaProvisionedIOPSSSDvolumeat3,000IOPS.
B. Useaninstancestore.
C. Useageneral-purposeSSDvolume.
D. Useamagneticvolume.
20. HowareyoubilledforelasticIPaddresses?
A. Hourlywhentheyareassociatedwithaninstance
B. Hourlywhentheyarenotassociatedwithaninstance
C. Basedonthedatathatflowsthroughthem
D. Basedontheinstancetypetowhichtheyareattached
Chapter4AmazonVirtualPrivateCloud(AmazonVPC)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)
HybridITarchitectures(forexample,DirectConnect,StorageGateway,VPC,DirectoryServices)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
OperateandextendservicemanagementinahybridITarchitecture
Configureservicestosupportcompliancerequirementsinthecloud
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSsecurityattributes(customerworkloadsdowntothephysicallayer)
AmazonVirtualPrivateCloud(VPC)
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit
“Core”AmazonEC2andS3securityfeaturesets
Incorporatingcommonconventionalsecurityproducts(FirewallandVPNs)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,andsoon)
IntroductionTheAmazonVirtualPrivateCloud(AmazonVPC)isacustom-definedvirtualnetworkwithintheAWSCloud.YoucanprovisionyourownlogicallyisolatedsectionofAWS,similartodesigningandimplementingaseparateindependentnetworkthatwouldoperateinanon-premisesdatacenter.ThischapterexploresthecorecomponentsofAmazonVPCand,intheexercises,youlearnhowtobuildyourownAmazonVPCinthecloud.AstrongunderstandingofAmazonVPCtopologyandtroubleshootingisrequiredtopasstheexam,andwehighlyrecommendthatyoucompletetheexercisesinthischapter.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCisthenetworkinglayerforAmazonElasticComputeCloud(AmazonEC2),anditallowsyoutobuildyourownvirtualnetworkwithinAWS.YoucontrolvariousaspectsofyourAmazonVPC,includingselectingyourownIPaddressrange;creatingyourownsubnets;andconfiguringyourownroutetables,networkgateways,andsecuritysettings.Withinaregion,youcancreatemultipleAmazonVPCs,andeachAmazonVPCislogicallyisolatedevenifitsharesitsIPaddressspace.
WhenyoucreateanAmazonVPC,youmustspecifytheIPv4addressrangebychoosingaClasslessInter-DomainRouting(CIDR)block,suchas10.0.0.0/16.TheaddressrangeoftheAmazonVPCcannotbechangedaftertheAmazonVPCiscreated.AnAmazonVPCaddressrangemaybeaslargeas/16(65,536availableaddresses)orassmallas/28(16availableaddresses)andshouldnotoverlapanyothernetworkwithwhichtheyaretobeconnected.
TheAmazonVPCservicewasreleasedaftertheAmazonEC2service;becauseofthis,therearetwodifferentnetworkingplatformsavailablewithinAWS:EC2-ClassicandEC2-VPC.AmazonEC2originallylaunchedwithasingle,flatnetworksharedwithotherAWScustomerscalledEC2-Classic.Assuch,AWSaccountscreatedpriortothearrivaloftheAmazonVPCservicecanlaunchinstancesintotheEC2-ClassicnetworkandEC2-VPC.AWSaccountscreatedafterDecember2013onlysupportlaunchinginstancesusingEC2-VPC.AWSaccountsthatsupportEC2-VPCwillhaveadefaultVPCcreatedineachregionwithadefaultsubnetcreatedineachAvailabilityZone.TheassignedCIDRblockoftheVPCwillbe172.31.0.0/16.
Figure4.1illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,twosubnetswithdifferentaddressranges(10.0.0.0/24and10.0.1.0/24)placedindifferentAvailabilityZones,andaroutetablewiththelocalroutespecified.
FIGURE4.1VPC,subnets,andaroutetable
AnAmazonVPCconsistsofthefollowingcomponents:
Subnets
Routetables
DynamicHostConfigurationProtocol(DHCP)optionsets
Securitygroups
NetworkAccessControlLists(ACLs)
AnAmazonVPChasthefollowingoptionalcomponents:
InternetGateways(IGWs)
ElasticIP(EIP)addresses
ElasticNetworkInterfaces(ENIs)
Endpoints
Peering
NetworkAddressTranslation(NATs)instancesandNATgateways
VirtualPrivateGateway(VPG),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)
SubnetsAsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanlaunchAmazonEC2instances,AmazonRelationalDatabaseService(AmazonRDS)databases,andotherAWSresources.CIDRblocksdefinesubnets(forexample,10.0.1.0/24and192.168.0.0/24).Thesmallestsubnetthatyoucancreateisa/28(16IPaddresses).AWSreservesthefirstfourIPaddressesandthelastIPaddressofeverysubnetforinternalnetworkingpurposes.Forexample,asubnetdefinedasa/28has16availableIPaddresses;subtractthe5IPsneededbyAWStoyield11IPaddressesforyourusewithinthesubnet.
AftercreatinganAmazonVPC,youcanaddoneormoresubnetsineachAvailabilityZone.SubnetsresidewithinoneAvailabilityZoneandcannotspanzones.Thisisanimportantpointthatcancomeupintheexam,sorememberthatonesubnetequalsoneAvailabilityZone.Youcan,however,havemultiplesubnetsinoneAvailabilityZone.
Subnetscanbeclassifiedaspublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetable(discussedlater)directsthesubnet’straffictotheAmazonVPC’sIGW(alsodiscussedlater).Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPG(discussedlater)anddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(thatis,non-routableontheInternet).
DefaultAmazonVPCscontainonepublicsubnetineveryAvailabilityZonewithintheregion,withanetmaskof/20.
RouteTablesAroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).
Eachroutetablecontainsadefaultroutecalledthelocalroute,whichenablescommunicationwithintheAmazonVPC,andthisroutecannotbemodifiedorremoved.AdditionalroutescanbeaddedtodirecttraffictoexittheAmazonVPCviatheIGW(discussedlater),theVPG(discussedlater),ortheNATinstance(discussedlater).Intheexercisesattheendofthischapter,youcanpracticehowthisisaccomplished.
Youshouldrememberthefollowingpointsaboutroutetables:
YourVPChasanimplicitrouter.
YourVPCautomaticallycomeswithamainroutetablethatyoucanmodify.
YoucancreateadditionalcustomroutetablesforyourVPC.
Eachsubnetmustbeassociatedwitharoutetable,whichcontrolstheroutingforthesubnet.Ifyoudon’texplicitlyassociateasubnetwithaparticularroutetable,thesubnetusesthemainroutetable.
Youcanreplacethemainroutetablewithacustomtablethatyou’vecreatedsothateachnewsubnetisautomaticallyassociatedwithit.
EachrouteinatablespecifiesadestinationCIDRandatarget;forexample,trafficdestinedfor172.16.0.0/12istargetedfortheVPG.AWSusesthemostspecificroutethatmatchesthetraffictodeterminehowtoroutethetraffic.
InternetGatewaysAnInternetGateway(IGW)isahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
AmazonEC2instanceswithinanAmazonVPCareonlyawareoftheirprivateIPaddresses.WhentrafficissentfromtheinstancetotheInternet,theIGWtranslatesthereplyaddresstotheinstance’spublicIPaddress(orEIPaddress,coveredlater)andmaintainstheone-to-onemapoftheinstanceprivateIPaddressandpublicIPaddress.WhenaninstancereceivestrafficfromtheInternet,theIGWtranslatesthedestinationaddress(publicIPaddress)totheinstance’sprivateIPaddressandforwardsthetraffictotheAmazonVPC.
YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:
AttachanIGWtoyourAmazonVPC.
Createasubnetroutetableruletosendallnon-localtraffic(0.0.0.0/0)totheIGW.
ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.
YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:
AssignapublicIPaddressorEIPaddress.
Youcanscopetheroutetoalldestinationsnotexplicitlyknowntotheroutetable(0.0.0.0/0),oryoucanscopetheroutetoanarrowerrangeofIPaddresses,suchasthepublicIPaddressesofyourcompany’spublicendpointsoutsideofAWSortheEIPaddressesofotherAmazonEC2instancesoutsideyourAmazonVPC.
Figure4.2illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,onesubnetwithanaddressrangeof10.0.0.0/24,aroutetable,anattachedIGW,andasingleAmazonEC2instancewithaprivateIPaddressandanEIPaddress.Theroutetablecontainstworoutes:thelocalroutethatpermitsinter-VPCcommunicationandaroutethatsendsallnon-localtraffictotheIGW(igw-id).NotethattheAmazonEC2instancehasapublicIPaddress(EIP=198.51.100.2);thisinstancecanbeaccessedfromtheInternet,andtrafficmayoriginateandreturntothisinstance.
FIGURE4.2VPC,subnet,routetable,andanInternetgateway
DynamicHostConfigurationProtocol(DHCP)OptionSetsDynamicHostConfigurationProtocol(DHCP)providesastandardforpassingconfigurationinformationtohostsonaTCP/IPnetwork.TheoptionsfieldofaDHCPmessagecontainstheconfigurationparameters.Someofthoseparametersarethedomainname,domainnameserver,andthenetbios-node-type.
AWSautomaticallycreatesandassociatesaDHCPoptionsetforyourAmazonVPCuponcreationandsetstwooptions:domain-name-servers(defaultedtoAmazonProvidedDNS)anddomain-name(defaultedtothedomainnameforyourregion).AmazonProvidedDNSisanAmazonDomainNameSystem(DNS)server,andthisoptionenablesDNSforinstancesthatneedtocommunicateovertheAmazonVPC’sIGW.
TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmentstoyourownresources.Toassignyourowndomainnametoyourinstances,createacustomDHCPoptionsetandassignittoyourAmazonVPC.YoucanconfigurethefollowingvalueswithinaDHCPoptionset:
domain-name-servers—TheIPaddressesofuptofourdomainnameservers,separatedbycommas.ThedefaultisAmazonProvidedDNS.
domain-name—Specifythedesireddomainnamehere(forexample,mycompany.com).
ntp-servers—TheIPaddressesofuptofourNetworkTimeProtocol(NTP)servers,separatedbycommas
netbios-name-servers—TheIPaddressesofuptofourNetBIOSnameservers,separatedbycommas
netbios-node-type—Setthisvalueto2.
EveryAmazonVPCmusthaveonlyoneDHCPoptionsetassignedtoit.
ElasticIPAddresses(EIPs)AWSmaintainsapoolofpublicIPaddressesineachregionandmakesthemavailableforyoutoassociatetoresourceswithinyourAmazonVPCs.AnElasticIPAddresses(EIP)isastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.HerearetheimportantpointstounderstandaboutEIPsfortheexam:
YoumustfirstallocateanEIPforusewithinaVPCandthenassignittoaninstance.
EIPsarespecifictoaregion(thatis,anEIPinoneregioncannotbeassignedtoaninstancewithinanAmazonVPCinadifferentregion).
Thereisaone-to-onerelationshipbetweennetworkinterfacesandEIPs.
YoucanmoveEIPsfromoneinstancetoanother,eitherinthesameAmazonVPCoradifferentAmazonVPCwithinthesameregion.
EIPsremainassociatedwithyourAWSaccountuntilyouexplicitlyreleasethem.
TherearechargesforEIPsallocatedtoyouraccount,evenwhentheyarenotassociatedwitharesource.
ElasticNetworkInterfaces(ENIs)AnElasticNetworkInterface(ENI)isavirtualnetworkinterfacethatyoucanattachtoaninstanceinanAmazonVPC.ENIsareonlyavailablewithinanAmazonVPC,andtheyareassociatedwithasubnetuponcreation.TheycanhaveonepublicIPaddressandmultipleprivateIPaddresses.IftherearemultipleprivateIPaddresses,oneofthemisprimary.AssigningasecondnetworkinterfacetoaninstanceviaanENIallowsittobedual-homed(havenetworkpresenceindifferentsubnets).AnENIcreatedindependentlyofaparticularinstancepersistsregardlessofthelifetimeofanyinstancetowhichitisattached;ifanunderlyinginstancefails,theIPaddressmaybepreservedbyattachingtheENItoareplacementinstance.
ENIsallowyoutocreateamanagementnetwork,usenetworkandsecurityappliancesinyourAmazonVPC,createdual-homedinstanceswithworkloads/rolesondistinctsubnets,orcreatealow-budget,high-availabilitysolution.
EndpointsAnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.
AmazonVPCendpointscurrentlysupportcommunicationwithAmazonSimpleStorageService(AmazonS3),andotherservicesareexpectedtobeaddedinthefuture.
YoumustdothefollowingtocreateanAmazonVPCendpoint:
SpecifytheAmazonVPC.
Specifytheservice.Aserviceisidentifiedbyaprefixlistoftheformcom.amazonaws.<region>.<service>.
Specifythepolicy.Youcanallowfullaccessorcreateacustompolicy.Thispolicycanbechangedatanytime.
Specifytheroutetables.Aroutewillbeaddedtoeachspecifiedroutetable,whichwillstatetheserviceasthedestinationandtheendpointasthetarget.
Table4.1isanexampleroutetablethathasanexistingroutethatdirectsallInternettraffic(0.0.0.0/0)toanIGW.AnytrafficfromthesubnetthatisdestinedforanotherAWSservice(forexample,AmazonS3orAmazonDynamoDB)willbesenttotheIGWinordertoreachthatservice.
TABLE4.1RouteTablewithanIGWRoutingRule
Destination Target10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
Table4.2isanexampleroutetablethathasexistingroutesdirectingallInternettraffictoanIGWandallAmazonS3traffictotheAmazonVPCendpoint.
TABLE4.2RouteTablewithanIGWRoutingRuleandVPCEndpointRule
Destination Target10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
pl-1a2b3c4d vpce-11bb22cc
TheroutetabledepictedinTable4.2willdirectanytrafficfromthesubnetthat’sdestinedforAmazonS3inthesameregiontotheendpoint.AllotherInternettrafficgoestoyourIGW,includingtrafficthat’sdestinedforotherservicesandforAmazonS3inotherregions.
PeeringAnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoranAmazonVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.
Peeringconnectionsarecreatedthrougharequest/acceptprotocol.TheowneroftherequestingAmazonVPCsendsarequesttopeertotheownerofthepeerAmazonVPC.IfthepeerAmazonVPCiswithinthesameaccount,itisidentifiedbyitsVPCID.IfthepeerVPCiswithinadifferentaccount,itisidentifiedbyAccountIDandVPCID.TheownerofthepeerAmazonVPChasoneweektoacceptorrejecttherequesttopeerwiththerequestingAmazonVPCbeforethepeeringrequestexpires.
AnAmazonVPCmayhavemultiplepeeringconnections,andpeeringisaone-to-onerelationshipbetweenAmazonVPCs,meaningtwoAmazonVPCscannothavetwopeeringagreementsbetweenthem.Also,peeringconnectionsdonotsupporttransitiverouting.Figure4.3depictstransitiverouting.
FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting
InFigure4.3,VPCAhastwopeeringconnectionswithtwodifferentVPCs:VPCBandVPCC.Therefore,VPCAcancommunicatedirectlywithVPCsBandC.Becausepeeringconnectionsdonotsupporttransitiverouting,VPCAcannotbeatransitpointfortrafficbetweenVPCsBandC.InorderforVPCsBandCtocommunicatewitheachother,apeeringconnectionmustbeexplicitlycreatedbetweenthem.
Herearetheimportantpointstounderstandaboutpeeringfortheexam:
YoucannotcreateapeeringconnectionbetweenAmazonVPCsthathavematchingoroverlappingCIDRblocks.
YoucannotcreateapeeringconnectionbetweenAmazonVPCsindifferentregions.
AmazonVPCpeeringconnectionsdonotsupporttransitiverouting.
YoucannothavemorethanonepeeringconnectionbetweenthesametwoAmazonVPCsatthesametime.
SecurityGroupsAsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundnetworktraffictoAWSresourcesandAmazonEC2instances.AllAmazonEC2instancesmustbelaunchedintoasecuritygroup.Ifasecuritygroupisnotspecifiedatlaunch,thentheinstancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.Table4.3describesthesettingsofthedefaultsecuritygroup.
TABLE4.3SecurityGroupRules
Inbound
Source Protocol PortRange
Comments
sg-xxxxxxxx All All Allowinboundtrafficfrominstanceswithinthesamesecuritygroup.
Outbound
Destination Protocol PortRange
Comments
0.0.0.0/0 All All Allowalloutboundtraffic.
Foreachsecuritygroup,youaddrulesthatcontroltheinboundtraffictoinstancesandaseparatesetofrulesthatcontroltheoutboundtraffic.Forexample,Table4.4describesasecuritygroupforwebservers.
TABLE4.4SecurityGroupRulesforaWebServer
Inbound
Source Protocol PortRange
Comments
0.0.0.0/0 TCP 80 AllowinboundtrafficfromtheInternettoport80.
Yournetwork’spublicIPaddressrange
TCP 22 AllowSecureShell(SSH)trafficfromyourcompanynetwork.
Yournetwork’spublicIPaddressrange
TCP 3389 AllowRemoteDesktopProtocol(RDP)trafficfromyourcompanynetwork.
Outbound
Destination Protocol PortRange
Comments
TheIDofthesecuritygroupforyourMySQLdatabaseservers
TCP 3306 AllowoutboundMySQLaccesstoinstancesinthespecifiedsecuritygroup.
TheIDofthesecuritygroupforyourMicrosoftSQLServerdatabaseservers
TCP 1433 AllowoutboundMicrosoftSQLServeraccesstoinstancesinthespecifiedsecuritygroup.
Herearetheimportantpointstounderstandaboutsecuritygroupsfortheexam:
Youcancreateupto500securitygroupsforeachAmazonVPC.
Youcanaddupto50inboundand50outboundrulestoeachsecuritygroup.Ifyouneedtoapplymorethan100rulestoaninstance,youcanassociateuptofivesecuritygroupswitheachnetworkinterface.
Youcanspecifyallowrules,butnotdenyrules.ThisisanimportantdifferencebetweensecuritygroupsandACLs.
Youcanspecifyseparaterulesforinboundandoutboundtraffic.
Bydefault,noinboundtrafficisalloweduntilyouaddinboundrulestothesecuritygroup.
Bydefault,newsecuritygroupshaveanoutboundrulethatallowsalloutboundtraffic.Youcanremovetheruleandaddoutboundrulesthatallowspecificoutboundtrafficonly.
Securitygroupsarestateful.Thismeansthatresponsestoallowedinboundtrafficareallowedtoflowoutboundregardlessofoutboundrulesandviceversa.ThisisanimportantdifferencebetweensecuritygroupsandnetworkACLs.
Instancesassociatedwiththesamesecuritygroupcan’ttalktoeachotherunlessyouaddrulesallowingit(withtheexceptionbeingthedefaultsecuritygroup).
Youcanchangethesecuritygroupswithwhichaninstanceisassociatedafterlaunch,
andthechangeswilltakeeffectimmediately.
NetworkAccessControlLists(ACLs)Anetworkaccesscontrollist(ACL)isanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AnetworkACLisanumberedlistofrulesthatAWSevaluatesinorder,startingwiththelowestnumberedrule,todeterminewhethertrafficisallowedinoroutofanysubnetassociatedwiththenetworkACL.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.WhenyoucreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreaterulesthatallowotherwise.YoumaysetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddalayerofsecuritytoyourAmazonVPC,oryoumaychoosetousethedefaultnetworkACLthatdoesnotfiltertraffictraversingthesubnetboundary.Overall,everysubnetmustbeassociatedwithanetworkACL.
Table4.5explainsthedifferencesbetweenasecuritygroupandanetworkACL.YoushouldrememberthefollowingdifferencesbetweensecuritygroupsandnetworkACLsfortheexam.
TABLE4.5ComparisonofSecurityGroupsandNetworkACLs
SecurityGroup NetworkACL
Operatesattheinstancelevel(firstlayerofdefense)
Operatesatthesubnetlevel(secondlayerofdefense)
Supportsallowrulesonly Supportsallowrulesanddenyrules
Stateful:Returntrafficisautomaticallyallowed,regardlessofanyrules
Stateless:Returntrafficmustbeexplicitlyallowedbyrules.
AWSevaluatesallrulesbeforedecidingwhethertoallowtraffic
AWSprocessesrulesinnumberorderwhendecidingwhethertoallowtraffic.
Appliedselectivelytoindividualinstances
Automaticallyappliedtoallinstancesintheassociatedsubnets;thisisabackuplayerofdefense,soyoudon’thavetorelyonsomeonespecifyingthesecuritygroup.
NetworkAddressTranslation(NAT)InstancesandNATGatewaysBydefault,anyinstancethatyoulaunchintoaprivatesubnetinanAmazonVPCisnotabletocommunicatewiththeInternetthroughtheIGW.ThisisproblematiciftheinstanceswithinprivatesubnetsneeddirectaccesstotheInternetfromtheAmazonVPCinordertoapplysecurityupdates,downloadpatches,orupdateapplicationsoftware.AWSprovidesNATinstancesandNATgatewaystoallowinstancesdeployedinprivatesubnetstogainInternetaccess.Forcommonusecases,werecommendthatyouuseaNATgatewayinsteadofaNATinstance.TheNATgatewayprovidesbetteravailabilityandhigherbandwidth,andrequireslessadministrativeeffortthanNATinstances.
NATInstanceAnetworkaddresstranslation(NAT)instanceisanAmazonLinuxAmazonMachineImage(AMI)thatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.Theseinstanceshavethestringamzn-ami-vpc-natintheirnames,whichissearchableintheAmazonEC2console.
ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATinstance,youmustdothefollowing:
CreateasecuritygroupfortheNATwithoutboundrulesthatspecifytheneededInternetresourcesbyport,protocol,andIPaddress.
LaunchanAmazonLinuxNATAMIasaninstanceinapublicsubnetandassociateitwiththeNATsecuritygroup.
DisabletheSource/DestinationCheckattributeoftheNAT.
ConfiguretheroutetableassociatedwithaprivatesubnettodirectInternet-boundtraffictotheNATinstance(forexample,i-1a2b3c4d).
AllocateanEIPandassociateitwiththeNATinstance.
ThisconfigurationallowsinstancesinprivatesubnetstosendoutboundInternetcommunication,butitpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
NATGatewayANATgatewayisanAmazonmanagedresourcethatisdesignedtooperatejustlikeaNATinstance,butitissimplertomanageandhighlyavailablewithinanAvailabilityZone.
ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATgateway,youmustdothefollowing:
ConfiguretheroutetableassociatedwiththeprivatesubnettodirectInternet-bound
traffictotheNATgateway(forexample,nat-1a2b3c4d).
AllocateanEIPandassociateitwiththeNATgateway.
LikeaNATinstance,thismanagedserviceallowsoutboundInternetcommunicationandpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
TheexerciseswilldemonstratehowaNATgatewayworks.
VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)YoucanconnectanexistingdatacentertoAmazonVPCusingeitherhardwareorsoftwareVPNconnections,whichwillmakeAmazonVPCanextensionofthedatacenter.AmazonVPCofferstwowaystoconnectacorporatenetworktoaVPC:VPGandCGW.
Avirtualprivategateway(VPG)isthevirtualprivatenetwork(VPN)concentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.Acustomergateway(CGW)representsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthecustomer’ssideoftheVPNconnection.Figure4.4illustratesasingleVPNconnectionbetweenacorporatenetworkandanAmazonVPC.
FIGURE4.4VPCwithVPNconnectiontoacustomernetwork
YoumustspecifythetypeofroutingthatyouplantousewhenyoucreateaVPNconnection.IftheCGWsupportsBorderGatewayProtocol(BGP),thenconfiguretheVPNconnectionfordynamicrouting.Otherwise,configuretheconnectionsforstaticrouting.Ifyouwillbeusingstaticrouting,youmustentertheroutesforyournetworkthatshouldbecommunicatedtotheVPG.RouteswillbepropagatedtotheAmazonVPCtoallowyourresourcestoroutenetworktrafficbacktothecorporatenetworkthroughtheVGWandacrosstheVPNtunnel.
AmazonVPCalsosupportsmultipleCGWs,eachhavingaVPNconnectiontoasingleVPG(many-to-onedesign).Inordertosupportthistopology,theCGWIPaddressesmustbeuniquewithintheregion.
AmazonVPCwillprovidetheinformationneededbythenetworkadministratortoconfiguretheCGWandestablishtheVPNconnectionwiththeVPG.TheVPNconnectionconsistsoftwoInternetProtocolSecurity(IPSec)tunnelsforhigheravailabilitytotheAmazonVPC.
FollowingaretheimportantpointstounderstandaboutVPGs,CGWs,andVPNsfortheexam:
TheVPGistheAWSendoftheVPNtunnel.
TheCGWisahardwareorsoftwareapplicationonthecustomer’ssideoftheVPNtunnel.
YoumustinitiatetheVPNtunnelfromtheCGWtotheVPG.
VPGssupportbothdynamicroutingwithBGPandstaticrouting.
TheVPNconnectionconsistsoftwotunnelsforhigheravailabilitytotheVPC.
SummaryInthischapter,youlearnedthatAmazonVPCisthenetworkinglayerforAmazonEC2,anditallowsyoutocreateyourownprivatevirtualnetworkwithinthecloud.YoucanprovisionyourownlogicallyisolatedsectionofAWSsimilartodesigningandimplementingaseparateindependentnetworkthatyou’doperateinaphysicaldatacenter.
AVPCconsistsofthefollowingcomponents:
Subnets
Routetables
DHCPoptionsets
Securitygroups
NetworkACLs
AVPChasthefollowingoptionalcomponents:
IGWs
EIPaddresses
Endpoints
Peering
NATinstanceandNATgateway
VPG,CGW,andVPN
Subnetscanbepublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sIGW.Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPGanddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(non-routableontheInternet).
AroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2host
nameassignmenttoyourownresources.Inorderforyoutoassignyourowndomainnametoyourinstances,youcreateacustomDHCPoptionsetandassignittoyourAmazonVPC.
AnEIPaddressisastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.
AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.
AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheywerewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoraVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.
AsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundtraffictoAmazonEC2instances.WhenyoufirstlaunchanAmazonEC2instanceintoanAmazonVPC,youmustspecifythesecuritygroupwithwhichitwillbeassociated.AWSprovidesadefaultsecuritygroupforyouruse,whichhasrulesthatallowallinstancesassociatedwiththesecuritygrouptocommunicatewitheachotherandallowalloutboundtraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.
AnetworkACLisanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.IfyouwanttocreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreatearulethatstatesotherwise.
ANATinstanceisacustomer-managedinstancethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.
ANATgatewayisanAWS-managedservicethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATgateway,andforwardthetraffictotheIGW.Inaddition,theNATgatewaymaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.
AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWisaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthe
customer’ssideoftheVPNconnection.
ExamEssentialsUnderstandwhataVPCisanditscoreandoptionalcomponents.AnAmazonVPCisalogicallyisolatednetworkintheAWSCloud.AnAmazonVPCismadeupofthefollowingcoreelements:subnets(public,private,andVPN-only),routetables,DHCPoptionsets,securitygroups,andnetworkACLs.OptionalelementsincludeanIGW,EIPaddresses,endpoints,peeringconnections,NATinstances,VPGs,CGWs,andVPNconnections.
Understandthepurposeofasubnet.AsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanplacegroupsofisolatedresources.SubnetsaredefinedbyCIDRblocks—forexample,10.0.1.0/24and10.0.2.0/24—andarecontainedwithinanAvailabilityZone.
Identifythedifferencebetweenapublicsubnet,aprivatesubnet,andaVPN-Onlysubnet.Ifasubnet’strafficisroutedtoanIGW,thesubnetisknownasapublicsubnet.Ifasubnetdoesn’thavearoutetotheIGW,thesubnetisknownasaprivatesubnet.Ifasubnetdoesn’thavearoutetotheIGW,buthasitstrafficroutedtoaVPG,thesubnetisknownasaVPN-onlysubnet.
Understandthepurposeofaroutetable.Aroutetableisasetofrules(calledroutes)thatareusedtodeterminewherenetworktrafficisdirected.AroutetableallowsAmazonEC2instanceswithindifferentsubnetstocommunicatewitheachother(withinthesameAmazonVPC).TheAmazonVPCrouteralsoenablessubnets,IGWs,andVPGstocommunicatewitheachother.
UnderstandthepurposeofanIGW.AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletrafficandperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
UnderstandwhatDHCPoptionsetsprovidetoanAmazonVPC.TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmenttoyourownresources.YoucanspecifythedomainnameforinstanceswithinanAmazonVPCandidentifytheIPaddressesofcustomDNSservers,NTPservers,andNetBIOSservers.
KnowthedifferencebetweenanAmazonVPCpublicIPaddressandanEIPaddress.ApublicIPaddressisanAWS-ownedIPthatcanbeautomaticallyassignedtoinstanceslaunchedwithinasubnet.AnEIPaddressisanAWS-ownedpublicIPaddressthatyouallocatetoyouraccountandassigntoinstancesornetworkinterfacesondemand.
UnderstandwhatendpointsprovidetoanAmazonVPC.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,aVPNconnection,orAWSDirectConnect.Endpointssupportserviceswithintheregiononly.
UnderstandAmazonVPCpeering.AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.Peeringconnections
arecreatedthrougharequest/acceptprotocol.Transitivepeeringisnotsupported,andpeeringisonlyavailablebetweenAmazonVPCswithinthesameregion.
KnowthedifferencebetweenasecuritygroupandanetworkACL.Asecuritygroupappliesattheinstancelevel.Youcanhavemultipleinstancesinmultiplesubnetsthataremembersofthesamesecuritygroups.Securitygroupsarestateful,whichmeansthatreturntrafficisautomaticallyallowed,regardlessofanyoutboundrules.AnetworkACLisappliedonasubnetlevel,andtrafficisstateless.YouneedtoallowbothinboundandoutboundtrafficonthenetworkACLinorderforAmazonEC2instancesinasubnettobeabletocommunicateoveraparticularprotocol.
UnderstandwhataNATprovidestoanAmazonVPC.ANATinstanceorNATgatewayenablesinstancesinaprivatesubnettoinitiateoutboundtraffictotheInternet.ThisallowsoutboundInternetcommunicationtodownloadpatchesandupdates,forexample,butpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
UnderstandthecomponentsneededtoestablishaVPNconnectionfromanetworktoanAmazonVPC.AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWrepresentsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.TheVPNconnectionmustbeinitiatedfromtheCGWside,andtheconnectionconsistsoftwoIPSectunnels.
ExercisesThebestwaytobecomefamiliarwithAmazonVPCistobuildyourowncustomAmazonVPCandthendeployAmazonEC2instancesintoit,whichiswhatyou’llbedoinginthissection.YoushouldrepeattheseexercisesuntilyoucancreateanddecommissionAmazonVPCswithconfidence.
Forassistancecompletingtheseexercises,refertotheAmazonVPCUserGuidelocatedathttp://aws.amazon.com/documentation/vpc/.
EXERCISE4.1
CreateaCustomAmazonVPC1. SignintotheAWSManagementConsoleasanadministratororpoweruser.
2. SelecttheAmazonVPCicontolaunchtheAmazonVPCDashboard.
3. CreateanAmazonVPCwithaCIDRblockequalto192.168.0.0/16,anametagofMyFirstVPC,anddefaulttenancy.
YouhavecreatedyourfirstcustomVPC.
EXERCISE4.2
CreateTwoSubnetsforYourCustomAmazonVPC1. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofMy
FirstPublicSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).
2. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofMyFirstPrivateSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyadifferentAvailabilityZoneforthesubnetthanpreviouslyspecified(forexample,US-East-1b).
Youhavenowcreatedtwonewsubnets,eachinitsownAvailabilityZone.It’simportanttorememberthatonesubnetequalsoneAvailabilityZone.YoucannotstretchasubnetacrossmultipleAvailabilityZones.
EXERCISE4.3
ConnectYourCustomAmazonVPCtotheInternetandEstablishRoutingForassistancewiththisexercise,refertotheAmazonEC2keypairdocumentationat:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Foradditionalassistancewiththisexercise,refertotheNATinstancesdocumentationat:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance
.html#NATInstance
1. CreateanAmazonEC2keypairinthesameregionasyourcustomAmazonVPC.
2. CreateanIGWwithanametagofMyFirstIGWandattachittoyourcustomAmazonVPC.
3. AddaroutetothemainroutetableforyourcustomAmazonVPCthatdirectsInternettraffic(0.0.0.0/0)totheIGW.
4. CreateaNATgateway,placeitinthepublicsubnetofyourcustomAmazonVPC,andassignitanEIP.
5. CreateanewroutetablewithanametagofMyFirstPrivateRouteTableandplaceitwithinyourcustomAmazonVPC.AddaroutetoitthatdirectsInternettraffic(0.0.0.0/0)totheNATgatewayandassociateitwiththeprivatesubnet.
YouhavenowcreatedaconnectiontotheInternetforresourceswithinyourAmazonVPC.YouestablishedroutingrulesthatdirectInternettraffictotheIGWregardlessoftheoriginatingsubnet.
EXERCISE4.4
LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet1. Launchat2.microAmazonLinuxAMIasanAmazonEC2instanceintothepublicsubnetofyourcustomAmazonVPC,giveitanametagofMyFirstPublicInstance,andselectthenewly-createdkeypairforsecureaccesstotheinstance.
2. SecurelyaccesstheAmazonEC2instanceinthepublicsubnetviaSSHwiththenewly-createdkeypair.
3. Executeanupdatetotheoperatingsysteminstancelibrariesbyexecutingthefollowingcommand:
#sudoyumupdate-y
4. YoushouldseeoutputshowingtheinstancedownloadingsoftwarefromtheInternetandinstallingit.
YouhavenowprovisionedanAmazonEC2instanceinapublicsubnet.YoucanapplypatchestotheAmazonEC2instanceinthepublicsubnet,andyouhavedemonstratedconnectivitytotheInternet.
ReviewQuestions1. WhatistheminimumsizesubnetthatyoucanhaveinanAmazonVPC?
A. /24
B. /26
C. /28
D. /30
2. YouareasolutionsarchitectworkingforalargetravelcompanythatismigratingitsexistingserverestatetoAWS.YouhaverecommendedthattheyuseacustomAmazonVPC,andtheyhaveagreedtoproceed.Theywillneedapublicsubnetfortheirwebserversandaprivatesubnetinwhichtoplacetheirdatabases.Theyalsorequirethatthewebserversanddatabaseserversbehighlyavailableandthattherebeaminimumoftwowebserversandtwodatabaseserverseach.Howmanysubnetsshouldyouhavetomaintainhighavailability?
A. 2
B. 3
C. 4
D. 1
3. WhichofthefollowingisanoptionalsecuritycontrolthatcanbeappliedatthesubnetlayerofaVPC?
A. NetworkACL
B. SecurityGroup
C. Firewall
D. Webapplicationfirewall
4. WhatisthemaximumsizeIPaddressrangethatyoucanhaveinanAmazonVPC?
A. /16
B. /24
C. /28
D. /30
5. YoucreateanewsubnetandthenaddaroutetoyourroutetablethatroutestrafficoutfromthatsubnettotheInternetusinganIGW.Whattypeofsubnethaveyoucreated?
A. Aninternalsubnet
B. Aprivatesubnet
C. Anexternalsubnet
D. Apublicsubnet
6. WhathappenswhenyoucreateanewAmazonVPC?
A. Amainroutetableiscreatedbydefault.
B. Threesubnetsarecreatedbydefault—oneforeachAvailabilityZone.
C. ThreesubnetsarecreatedbydefaultinoneAvailabilityZone.
D. AnIGWiscreatedbydefault.
7. YoucreateanewVPCinUS-East-1andprovisionthreesubnetsinsidethisAmazonVPC.Whichofthefollowingstatementsistrue?
A. Bydefault,thesesubnetswillnotbeabletocommunicatewitheachother;youwillneedtocreateroutes.
B. Allsubnetsarepublicbydefault.
C. Allsubnetswillbeabletocommunicatewitheachotherbydefault.
D. EachsubnetwillhaveidenticalCIDRblocks.
8. HowmanyIGWscanyouattachtoanAmazonVPCatanyonetime?
A. 1
B. 2
C. 3
D. 4
9. WhataspectofanAmazonVPCisstateful?
A. NetworkACLs
B. Securitygroups
C. AmazonDynamoDB
D. AmazonS3
10. YouhavecreatedacustomAmazonVPCwithbothprivateandpublicsubnets.YouhavecreatedaNATinstanceanddeployedthisinstancetoapublicsubnet.YouhaveattachedanEIPaddressandaddedyourNATtotheroutetable.Unfortunately,instancesinyourprivatesubnetstillcannotaccesstheInternet.Whatmaybethecauseofthis?
A. YourNATisinapublicsubnet,butitneedstobeinaprivatesubnet.
B. YourNATshouldbebehindanElasticLoadBalancer.
C. Youshoulddisablesource/destinationchecksontheNAT.
D. YourNAThasbeendeployedonaWindowsinstance,butyourotherinstancesareLinux.YoushouldredeploytheNATontoaLinuxinstance.
11. WhichofthefollowingwilloccurwhenanAmazonElasticBlockStore(AmazonEBS)-backedAmazonEC2instanceinanAmazonVPCwithanassociatedEIPisstoppedandstarted?(Choose2answers)
A. TheEIPwillbedissociatedfromtheinstance.
B. Alldataoninstance-storedeviceswillbelost.
C. AlldataonAmazonEBSdeviceswillbelost.
D. TheENIisdetached.
E. Theunderlyinghostfortheinstanceischanged.
12. HowmanyVPCPeeringconnectionsarerequiredforfourVPCslocatedwithinthesameAWSregiontobeabletosendtraffictoeachoftheothers?
A. 3
B. 4
C. 5
D. 6
13. WhichofthefollowingAWSresourceswouldyouuseinorderforanEC2-VPCinstancetoresolveDNSnamesoutsideofAWS?
A. AVPCpeeringconnection
B. ADHCPoptionset
C. Aroutingrule
D. AnIGW
14. WhichofthefollowingistheAmazonsideofanAmazonVPNconnection?
A. AnEIP
B. ACGW
C. AnIGW
D. AVPG
15. WhatisthedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregion?
A. 5
B. 6
C. 7
D. ThereisnodefaultmaximumnumberofVPCswithinaregion.
16. Youareresponsibleforyourcompany’sAWSresources,andyounoticeasignificantamountoftrafficfromanIPaddressinaforeigncountryinwhichyourcompanydoesnothavecustomers.FurtherinvestigationofthetrafficindicatesthesourceofthetrafficisscanningforopenportsonyourEC2-VPCinstances.Whichoneofthefollowingresourcescandenythetrafficfromreachingtheinstances?
A. Securitygroup
B. NetworkACL
C. NATinstance
D. AnAmazonVPCendpoint
17. WhichofthefollowingisthesecurityprotocolsupportedbyAmazonVPC?
A. SSH
B. AdvancedEncryptionStandard(AES)
C. Point-to-PointTunnelingProtocol(PPTP)
D. IPsec
18. WhichofthefollowingAmazonVPCresourceswouldyouuseinorderforEC2-VPCinstancestosendtrafficdirectlytoAmazonS3?
A. AmazonS3gateway
B. IGW
C. CGW
D. VPCendpoint
19. WhatpropertiesofanAmazonVPCmustbespecifiedatthetimeofcreation?(Choose2answers)
A. TheCIDRblockrepresentingtheIPaddressrange
B. OneormoresubnetsfortheAmazonVPC
C. TheregionfortheAmazonVPC
D. AmazonVPCPeeringrelationships
20. WhichAmazonVPCfeatureallowsyoutocreateadual-homedinstance?
A. EIPaddress
B. ENI
C. Securitygroups
D. CGW
Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-effective,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Elasticityandscalability
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
CloudWatchLogs
Domain4.0:Troubleshooting
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions
IntroductionInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkbothindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.
ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonElasticComputeCloud(AmazonEC2)instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.
AmazonCloudWatchisaservicethatmonitorsAWSCloudresourcesandapplicationsrunningonAWS.Itcollectsandtracksmetrics,collectsandmonitorslogfiles,andsetsalarms.AmazonCloudWatchhasabasiclevelofmonitoringfornocostandamoredetailedlevelofmonitoringforanadditionalcost.
AutoScalingisaservicethatallowsyoutomaintaintheavailabilityofyourapplicationsbyscalingAmazonEC2capacityupordowninaccordancewithconditionsyouset.
Thischaptercoversallthreeservicesseparately,butitalsohighlightshowtheycanworktogethertobuildmorerobustandhighlyavailablearchitecturesonAWS.
ElasticLoadBalancingAnadvantageofhavingaccesstoalargenumberofserversinthecloud,suchasAmazonEC2instancesonAWS,istheabilitytoprovideamoreconsistentexperiencefortheenduser.Onewaytoensureconsistencyistobalancetherequestloadacrossmorethanoneserver.AloadbalancerisamechanismthatautomaticallydistributestrafficacrossmultipleAmazonEC2instances.YoucaneithermanageyourownvirtualloadbalancersonAmazonEC2instancesorleverageanAWSCloudservicecalledElasticLoadBalancing,whichprovidesamanagedloadbalancerforyou.
TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZones,enablingyoutoachievehighavailabilityinyourapplications.ElasticLoadBalancingsupportsroutingandloadbalancingofHypertextTransferProtocol(HTTP),HypertextTransferProtocolSecure(HTTPS),TransmissionControlProtocol(TCP),andSecureSocketsLayer(SSL)traffictoAmazonEC2instances.ElasticLoadBalancingprovidesastable,singleCanonicalNamerecord(CNAME)entrypointforDomainNameSystem(DNS)configurationandsupportsbothInternet-facingandinternalapplication-facingloadbalancers.ElasticLoadBalancingsupportshealthchecksforAmazonEC2instancestoensuretrafficisnotroutedtounhealthyorfailinginstances.Also,ElasticLoadBalancingcanautomaticallyscalebasedoncollectedmetrics.
ThereareseveraladvantagesofusingElasticLoadBalancing.BecauseElasticLoadBalancingisamanagedservice,itscalesinandoutautomaticallytomeetthedemandsofincreasedapplicationtrafficandishighlyavailablewithinaregionitselfasaservice.ElasticLoadBalancinghelpsyouachievehighavailabilityforyourapplicationsbydistributingtrafficacrosshealthyinstancesinmultipleAvailabilityZones.Additionally,ElasticLoadBalancingseamlesslyintegrateswiththeAutoScalingservicetoautomaticallyscaletheAmazonEC2instancesbehindtheloadbalancer.Finally,ElasticLoadBalancingissecure,workingwithAmazonVirtualPrivateCloud(AmazonVPC)toroutetrafficinternallybetweenapplicationtiers,allowingyoutoexposeonlyInternet-facingpublicIPaddresses.ElasticLoadBalancingalsosupportsintegratedcertificatemanagementandSSLtermination.
ElasticLoadBalancingisahighlyavailableserviceitselfandcanbeusedtohelpbuildhighlyavailablearchitectures.
TypesofLoadBalancersElasticLoadBalancingprovidesseveraltypesofloadbalancersforhandlingdifferentkindsofconnectionsincludingInternet-facing,internal,andloadbalancersthatsupportencryptedconnections.
Internet-FacingLoadBalancersAnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.
Whenyouconfigurealoadbalancer,itreceivesapublicDNSnamethatclientscanusetosendrequeststoyourapplication.TheDNSserversresolvetheDNSnametoyourloadbalancer’spublicIPaddress,whichcanbevisibletoclientapplications.
AnAWSrecommendedbestpracticeisalwaystoreferencealoadbalancerbyitsDNSname,insteadofbytheIPaddressoftheloadbalancer,inordertoprovideasingle,stableentrypoint.
BecauseElasticLoadBalancingscalesinandouttomeettrafficdemand,itisnotrecommendedtobindanapplicationtoanIPaddressthatmaynolongerbepartofaloadbalancer’spoolofresources.
ElasticLoadBalancinginAmazonVPCsupportsIPv4addressesonly.ElasticLoadBalancinginEC2-ClassicsupportsbothIPv4andIPv6addresses.
InternalLoadBalancersInamulti-tierapplication,itisoftenusefultoloadbalancebetweenthetiersoftheapplication.Forexample,anInternet-facingloadbalancermightreceiveandbalanceexternaltraffictothepresentationorwebtierwhoseAmazonEC2instancesthensenditsrequeststoaloadbalancersittinginfrontoftheapplicationtier.YoucanuseinternalloadbalancerstoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.
HTTPSLoadBalancersYoucancreatealoadbalancerthatusestheSSL/TransportLayerSecurity(TLS)protocolforencryptedconnections(alsoknownasSSLoffload).ThisfeatureenablestrafficencryptionbetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessions,andforconnectionsbetweenyourloadbalancerandyourback-endinstances.ElasticLoadBalancingprovidessecuritypoliciesthathavepredefinedSSLnegotiationconfigurationstousetonegotiateconnectionsbetweenclientsandtheloadbalancer.InordertouseSSL,youmustinstallanSSLcertificateontheloadbalancerthatitusestoterminatetheconnectionandthendecryptrequestsfromclientsbeforesendingrequeststotheback-endAmazonEC2instances.Youcanoptionallychoosetoenableauthenticationonyourback-endinstances.
ElasticLoadBalancingdoesnotsupportServerNameIndication(SNI)onyourloadbalancer.ThismeansthatifyouwanttohostmultiplewebsitesonafleetofAmazonEC2instancesbehindElasticLoadBalancingwithasingleSSLcertificate,youwillneedtoaddaSubjectAlternativeName(SAN)foreachwebsitetothecertificatetoavoidsiteusersseeingawarningmessagewhenthesiteisaccessed.
ListenersEveryloadbalancermusthaveoneormorelistenersconfigured.Alistenerisaprocessthatchecksforconnectionrequests—forexample,aCNAMEconfiguredtotheArecordnameoftheloadbalancer.Everylistenerisconfiguredwithaprotocolandaport(clienttoloadbalancer)forafront-endconnectionandaprotocolandaportfortheback-end(loadbalancertoAmazonEC2instance)connection.ElasticLoadBalancingsupportsthefollowing
protocols:
HTTP
HTTPS
TCP
SSL
ElasticLoadBalancingsupportsprotocolsoperatingattwodifferentOpenSystemInterconnection(OSI)layers.IntheOSImodel,Layer4isthetransportlayerthatdescribestheTCPconnectionbetweentheclientandyourback-endinstancethroughtheloadbalancer.Layer4isthelowestlevelthatisconfigurableforyourloadbalancer.Layer7istheapplicationlayerthatdescribestheuseofHTTPandHTTPSconnectionsfromclientstotheloadbalancerandfromtheloadbalancertoyourback-endinstance.
TheSSLprotocolisprimarilyusedtoencryptconfidentialdataoverinsecurenetworkssuchastheInternet.TheSSLprotocolestablishesasecureconnectionbetweenaclientandtheback-endserverandensuresthatallthedatapassedbetweenyourclientandyourserverisprivate.
ConfiguringElasticLoadBalancingElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.ConfigurationsettingscanbemodifiedusingeithertheAWSManagementConsoleoraCommandLineInterface(CLI).Someoftheoptionsaredescribednext.
IdleConnectionTimeoutForeachrequestthataclientmakesthroughaloadbalancer,theloadbalancermaintainstwoconnections.Oneconnectioniswiththeclientandtheotherconnectionistotheback-endinstance.Foreachconnection,theloadbalancermanagesanidletimeoutthatistriggeredwhennodataissentovertheconnectionforaspecifiedtimeperiod.Aftertheidletimeoutperiodhaselapsed,ifnodatahasbeensentorreceived,theloadbalancerclosestheconnection.
Bydefault,ElasticLoadBalancingsetstheidletimeoutto60secondsforbothconnections.IfanHTTPrequestdoesn’tcompletewithintheidletimeoutperiod,theloadbalancerclosestheconnection,evenifdataisstillbeingtransferred.Youcanchangetheidletimeoutsettingfortheconnectionstoensurethatlengthyoperations,suchasfileuploads,havetimetocomplete.
IfyouuseHTTPandHTTPSlisteners,werecommendthatyouenablethekeep-aliveoptionforyourAmazonEC2instances.Youcanenablekeep-aliveinyourwebserversettingsorinthekernelsettingsforyourAmazonEC2instances.Keep-alive,whenenabled,allowstheloadbalancertoreuseconnectionstoyourback-endinstance,whichreducesCPUutilization.
Toensurethattheloadbalancerisresponsibleforclosingtheconnectionstoyourback-endinstance,makesurethatthevalueyousetforthekeep-alivetimeisgreaterthantheidletimeoutsettingonyourloadbalancer.
Cross-ZoneLoadBalancingToensurethatrequesttrafficisroutedevenlyacrossallback-endinstancesforyourloadbalancer,regardlessoftheAvailabilityZoneinwhichtheyarelocated,youshouldenablecross-zoneloadbalancingonyourloadbalancer.Cross-zoneloadbalancingreducestheneedtomaintainequivalentnumbersofback-endinstancesineachAvailabilityZoneandimprovesyourapplication’sabilitytohandlethelossofoneormoreback-endinstances.However,itisstillrecommendedthatyoumaintainapproximatelyequivalentnumbersofinstancesineachAvailabilityZoneforhigherfaulttolerance.
ForenvironmentswhereclientscacheDNSlookups,incomingrequestsmightfavoroneoftheAvailabilityZones.Usingcross-zoneloadbalancing,thisimbalanceintherequestloadisspreadacrossallavailableback-endinstancesintheregion,reducingtheimpactofmisconfiguredclients.
ConnectionDrainingYoushouldenableconnectiondrainingtoensurethattheloadbalancerstopssendingrequeststoinstancesthatarederegisteringorunhealthy,whilekeepingtheexistingconnectionsopen.Thisenablestheloadbalancertocompletein-flightrequestsmadetotheseinstances.
Whenyouenableconnectiondraining,youcanspecifyamaximumtimefortheloadbalancertokeepconnectionsalivebeforereportingtheinstanceasderegistered.Themaximumtimeoutvaluecanbesetbetween1and3,600seconds(thedefaultis300seconds).Whenthemaximumtimelimitisreached,theloadbalancerforciblyclosesconnectionstothederegisteringinstance.
ProxyProtocolWhenyouuseTCPorSSLforbothfront-endandback-endconnections,yourloadbalancerforwardsrequeststotheback-endinstanceswithoutmodifyingtherequestheaders.IfyouenableProxyProtocol,ahuman-readableheaderisaddedtotherequestheaderwithconnectioninformationsuchasthesourceIPaddress,destinationIPaddress,andportnumbers.Theheaderisthensenttotheback-endinstanceaspartoftherequest.
BeforeusingProxyProtocol,verifythatyourloadbalancerisnotbehindaproxyserverwithProxyProtocolenabled.IfProxyProtocolisenabledonboththeproxyserverandtheloadbalancer,theloadbalanceraddsanotherheadertotherequest,whichalreadyhasaheaderfromtheproxyserver.Dependingonhowyourback-endinstanceisconfigured,thisduplicationmightresultinerrors.
StickySessionsBydefault,aloadbalancerrouteseachrequestindependentlytotheregisteredinstancewith
thesmallestload.However,youcanusethestickysessionfeature(alsoknownassessionaffinity),whichenablestheloadbalancertobindauser’ssessiontoaspecificinstance.Thisensuresthatallrequestsfromtheuserduringthesessionaresenttothesameinstance.
Thekeytomanagingstickysessionsistodeterminehowlongyourloadbalancershouldconsistentlyroutetheuser’srequesttothesameinstance.Ifyourapplicationhasitsownsessioncookie,youcanconfigureElasticLoadBalancingsothatthesessioncookiefollowsthedurationspecifiedbytheapplication’ssessioncookie.Ifyourapplicationdoesnothaveitsownsessioncookie,youcanconfigureElasticLoadBalancingtocreateasessioncookiebyspecifyingyourownstickinessduration.ElasticLoadBalancingcreatesacookienamedAWSELBthatisusedtomapthesessiontotheinstance.
HealthChecksElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.ThestatusoftheinstancesthatarehealthyatthetimeofthehealthcheckisInService.ThestatusofanyinstancesthatareunhealthyatthetimeofthehealthcheckisOutOfService.Theloadbalancerperformshealthchecksonallregisteredinstancestodeterminewhethertheinstanceisinahealthystateoranunhealthystate.Ahealthcheckisaping,aconnectionattempt,orapagethatischeckedperiodically.Youcansetthetimeintervalbetweenhealthchecksandalsotheamountoftimetowaittorespondincasethehealthcheckpageincludesacomputationalaspect.Finally,youcansetathresholdforthenumberofconsecutivehealthcheckfailuresbeforeaninstanceismarkedasunhealthy.
UpdatesBehindanElasticLoadBalancingLoadBalancer
Long-runningapplicationswilleventuallyneedtobemaintainedandupdatedwithanewerversionoftheapplication.WhenusingAmazonEC2instancesrunningbehindanElasticLoadBalancingloadbalancer,youmayderegistertheselong-runningAmazonEC2instancesassociatedwithaloadbalancermanuallyandthenregisternewlylaunchedAmazonEC2instancesthatyouhavestartedwiththenewupdatesinstalled.
AmazonCloudWatchAmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.
Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.
Youcanspecifyparametersforametricoveratimeperiodandconfigurealarmsandautomatedactionswhenathresholdisreached.AmazonCloudWatchsupportsmultipletypesofactionssuchassendinganotificationtoanAmazonSimpleNotificationService(AmazonSNS)topicorexecutinganAutoScalingpolicy.
AmazonCloudWatchofferseitherbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforanadditionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.
AmazonCloudWatchsupportsmonitoringandspecificmetricsformostAWSCloudservices,including:AutoScaling,AmazonCloudFront,AmazonCloudSearch,AmazonDynamoDB,AmazonEC2,AmazonEC2ContainerService(AmazonECS),AmazonElastiCache,AmazonElasticBlockStore(AmazonEBS),ElasticLoadBalancing,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,AmazonKinesisStreams,AmazonKinesisFirehose,AWSLambda,AmazonMachineLearning,AWSOpsWorks,AmazonRedshift,AmazonRelationalDatabaseService(AmazonRDS),AmazonRoute53,AmazonSNS,AmazonSimpleQueueService(AmazonSQS),AmazonS3,AWSSimpleWorkflowService(AmazonSWF),AWSStorageGateway,AWSWAF,andAmazonWorkSpaces.
ReadAlert
YoumayhaveanapplicationthatleveragesAmazonDynamoDB,andyouwanttoknowwhenreadrequestsreachacertainthresholdandalertyourselfwithanemail.YoucandothisbyusingProvisionedReadCapacityUnitsfortheAmazonDynamoDBtableforwhichyouwanttosetanalarm.Yousimplysetathresholdvalueduringanumberofconsecutiveperiodsandthenspecifyemailasthenotificationtype.Now,whenthethresholdissustainedoverthenumberofperiods,yourspecifiedemailwillalertyoutothereadactivity.
AmazonCloudWatchmetricscanberetrievedbyperformingaGETrequest.Whenyouusedetailedmonitoring,youcanalsoaggregatemetricsacrossalengthoftimeyouspecify.AmazonCloudWatchdoesnotaggregatedataacrossregionsbutcanaggregateacross
AvailabilityZoneswithinaregion.
AWSprovidesarichsetofmetricsincludedwitheachservice,butyoucanalsodefinecustommetricstomonitorresourcesandeventsAWSdoesnothavevisibilityinto—forexample,AmazonEC2instancememoryconsumptionanddiskmetricsthatarevisibletotheoperatingsystemoftheAmazonEC2instancebutnotvisibletoAWSorapplication-specificthresholdsrunningoninstancesthatarenotknowntoAWS.AmazonCloudWatchsupportsanApplicationProgrammingInterface(API)thatallowsprogramsandscriptstoPUTmetricsintoAmazonCloudWatchasname-valuepairsthatcanthenbeusedtocreateeventsandtriggeralarmsinthesamemannerasthedefaultAmazonCloudWatchmetrics.
AmazonCloudWatchLogscanbeusedtomonitor,store,andaccesslogfilesfromAmazonEC2instances,AWSCloudTrail,andothersources.Youcanthenretrievethelogdataandmonitorinrealtimeforevents—forexample,youcantrackthenumberoferrorsinyourapplicationlogsandsendanotificationifanerrorrateexceedsathreshold.AmazonCloudWatchLogscanalsobeusedtostoreyourlogsinAmazonS3orAmazonGlacier.Logscanberetainedindefinitelyoraccordingtoanagingpolicythatwilldeleteolderlogsasnolongerneeded.
ACloudWatchLogsagentisavailablethatprovidesanautomatedwaytosendlogdatatoCloudWatchLogsforAmazonEC2instancesrunningAmazonLinuxorUbuntu.YoucanusetheAmazonCloudWatchLogsagentinstalleronanexistingAmazonEC2instancetoinstallandconfiguretheCloudWatchLogsagent.Afterinstallationiscomplete,theagentconfirmsthatithasstartedanditstaysrunninguntilyoudisableit.
AmazonCloudWatchhassomelimitsthatyoushouldkeepinmindwhenusingtheservice.EachAWSaccountislimitedto5,000alarmsperAWSaccount,andmetricsdataisretainedfortwoweeksbydefault(atthetimeofthiswriting).Ifyouwanttokeepthedatalonger,youwillneedtomovethelogstoapersistentstorelikeAmazonS3orAmazonGlacier.YoushouldfamiliarizeyourselfwiththelimitsforAmazonCloudWatchintheAmazonCloudWatchDeveloperGuide.
AutoScalingAdistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.Examplesincludeawebsiteforaspecificsportingevent,anend-of-monthdata-inputsystem,aretailshoppingsitesupportingflashsales,amusicartistwebsiteduringthereleaseofnewsongs,acompanywebsiteannouncingsuccessfulearnings,oranightlyprocessingruntocalculatedailyactivity.
AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.
EmbracetheSpike
Manywebapplicationshaveunplannedloadincreasesbasedoneventsoutsideofyourcontrol.Forexample,yourcompanymaygetmentionedonapopularblogortelevisionprogramdrivingmanymorepeopletovisityoursitethanexpected.SettingupAutoScalinginadvancewillallowyoutoembraceandsurvivethiskindoffastincreaseinthenumberofrequests.AutoScalingwillscaleupyoursitetomeettheincreaseddemandandthenscaledownwhentheeventsubsides.
AutoScalingPlansAutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.
MaintainCurrentInstanceLevelsYoucanconfigureyourAutoScalinggrouptomaintainaminimumorspecifiednumberofrunninginstancesatalltimes.Tomaintainthecurrentinstancelevels,AutoScalingperformsaperiodichealthcheckonrunninginstanceswithinanAutoScalinggroup.WhenAutoScalingfindsanunhealthyinstance,itterminatesthatinstanceandlaunchesanewone.
SteadystateworkloadsthatneedaconsistentnumberofAmazonEC2instancesatalltimescanuseAutoScalingtomonitorandkeepthatspecificnumberofAmazonEC2instancesrunning.
ManualScalingManualscalingisthemostbasicwaytoscaleyourresources.Youonlyneedtospecifythechangeinthemaximum,minimum,ordesiredcapacityofyourAutoScalinggroup.Auto
Scalingmanagestheprocessofcreatingorterminatinginstancestomaintaintheupdatedcapacity.
Manualscalingoutcanbeveryusefultoincreaseresourcesforaninfrequentevent,suchasthereleaseofanewgameversionthatwillbeavailablefordownloadandrequireauserregistration.Forextremelylarge-scaleevents,eventheElasticLoadBalancingloadbalancerscanbepre-warmedbyworkingwithyourlocalsolutionsarchitectorAWSSupport.
ScheduledScalingSometimesyouknowexactlywhenyouwillneedtoincreaseordecreasethenumberofinstancesinyourgroup,simplybecausethatneedarisesonapredictableschedule.Examplesincludeperiodiceventssuchasend-of-month,end-of-quarter,orend-of-yearprocessing,andalsootherpredictable,recurringevents.Scheduledscalingmeansthatscalingactionsareperformedautomaticallyasafunctionoftimeanddate.
Recurringeventssuchasend-of-month,quarter,oryearprocessing,orscheduledandrecurringautomatedloadandperformancetesting,canbeanticipatedandAutoScalingcanberampedupappropriatelyatthetimeofthescheduledevent.
DynamicScalingDynamicscalingletsyoudefineparametersthatcontroltheAutoScalingprocessinascalingpolicy.Forexample,youmightcreateapolicythataddsmoreAmazonEC2instancestothewebtierwhenthenetworkbandwidth,measuredbyAmazonCloudWatch,reachesacertainthreshold.
AutoScalingComponentsAutoScalinghasseveralcomponentsthatneedtobeconfiguredtoworkproperly:alaunchconfiguration,anAutoScalinggroup,andanoptionalscalingpolicy.
LaunchConfigurationAlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstances,anditiscomposedoftheconfigurationname,AmazonMachineImage(AMI),AmazonEC2instancetype,securitygroup,andinstancekeypair.EachAutoScalinggroupcanhaveonlyonelaunchconfigurationatatime.
TheCLIcommandthatfollowswillcreatealaunchconfigurationwiththefollowingattributes:
Name:myLC
AMI:ami-0535d66c
Instancetype:m3.medium
Securitygroups:sg-f57cde9d
Instancekeypair:myKeyPair
>awsautoscalingcreate-launch-configuration-–launch-configuration-namemyLC--
image-idami-0535d66c--instance-typem3.medium--security-groupssg-f57cde9d--
key-namemyKeyPair
SecuritygroupsforinstanceslaunchedinEC2-Classicmaybereferencedbysecuritygroupnamesuchas“SSH”or“Web”ifthatiswhattheyarenamed,oryoucanreferencethesecuritygroupIDs,suchassg-f57cde9d.IfyoulaunchedtheinstancesinAmazonVPC,whichisrecommended,youmustusethesecuritygroupIDstoreferencethesecuritygroupsyouwantassociatedwiththeinstancesinanAutoScalinglaunchconfiguration.
Thedefaultlimitforlaunchconfigurationsis100perregion.Ifyouexceedthislimit,thecalltocreate-launch-configurationwillfail.Youmayviewandupdatethislimitbyrunningdescribe-account-limitsatthecommandline,asshownhere.
>awsautoscalingdescribe-account-limits
AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.WhenbuildingmorecomplexarchitectureswithAWS,itisimportanttokeepinmindtheservicelimitsforallAWSCloudservicesyouareusing.
WhenyourunacommandusingtheCLIanditfails,checkyoursyntaxfirst.Ifthatchecksout,verifythelimitsforthecommandyouareattempting,andchecktoseethatyouhavenotexceededalimit.Somelimitscanberaisedandusuallydefaultedtoareasonablevaluetolimitaracecondition,anerrantscriptrunninginaloop,orothersimilarautomationthatmightcauseunintendedhighusageandbillingofAWSresources.AWSservicelimitscanbeviewedintheAWSGeneralReferenceGuideunderAWSServiceLimits.YoucanraiseyourlimitsbycreatingasupportcaseattheAWSSupportCenteronlineandthenchoosingServiceLimitIncreaseunderRegarding.Thenfillintheappropriateserviceandlimittoincreasevalueintheonlineform.
AutoScalingGroupAnAutoScalinggroupisacollectionofAmazonEC2instancesmanagedbytheAutoScalingservice.EachAutoScalinggroupcontainsconfigurationoptionsthatcontrolwhenAutoScalingshouldlaunchnewinstancesandterminateexistinginstances.AnAutoScalinggroupmustcontainanameandaminimumandmaximumnumberofinstancesthatcanbeinthegroup.Youcanoptionallyspecifydesiredcapacity,whichisthenumberofinstancesthatthegroupmusthaveatalltimes.Ifyoudon’tspecifyadesiredcapacity,thedefaultdesiredcapacityistheminimumnumberofinstancesthatyouspecify.
TheCLIcommandthatfollowswillcreateanAutoScalinggroupthatreferencesthepreviouslaunchconfigurationandincludesthefollowingspecifications:
Name:myASG
Launchconfiguration:myLC
AvailabilityZones:us-east-1aandus-east-1c
Minimumsize:1
Desiredcapacity:3
Maximumcapacity:10
Loadbalancers:myELB
>awsautoscalingcreate-auto-scaling-group--auto–scaling-group-namemyASG--
launch-configuration-namemyLC--availability-zonesus-east-1a,us-east-1c--min-
size1--max-size10--desired-capacity3--load-balancer-namesmyELB
Figure5.1depictsdeployedAWSresourcesafteraloadbalancernamedmyELBiscreatedandthelaunchconfigurationmyLCandAutoScalingGroupmyASGaresetup.
FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer
AnAutoScalinggroupcanuseeitherOn-DemandorSpotInstancesastheAmazonEC2instancesitmanages.On-Demandisthedefault,butSpotInstancescanbeusedbyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.YoumaychangethebidpricebycreatinganewlaunchconfigurationwiththenewbidpriceandthenassociatingitwithyourAutoScalinggroup.Ifinstancesareavailableatorbelowyourbidprice,theywillbelaunchedinyourAutoScalinggroup.SpotInstancesinanAutoScalinggroupfollowthesameguidelinesasSpot
InstancesoutsideanAutoScalinggroupandrequireapplicationsthatareflexibleandcantolerateAmazonEC2instancesthatareterminatedwithshortnotice,forexample,whentheSpotpricerisesabovethebidpriceyousetinthelaunchconfiguration.AlaunchconfigurationcanreferenceOn-DemandInstancesorSpotInstances,butnotboth.
SpotOn!
AutoScalingsupportsusingcost-effectiveSpotInstances.Thiscanbeveryusefulwhenyouarehostingsiteswhereyouwanttoprovideadditionalcomputecapacitybutarepriceconstrained.Anexampleisa“freemium”sitemodelwhereyoumayoffersomebasicfunctionalitytousersforfreeandadditionalfunctionalityforpremiumuserswhopayforuse.SpotInstancescanbeusedforprovidingthebasicfunctionalitywhenavailablebyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.
ScalingPolicyYoucanassociateAmazonCloudWatchalarmsandscalingpolicieswithanAutoScalinggrouptoadjustAutoScalingdynamically.Whenathresholdiscrossed,AmazonCloudWatchsendsalarmstotriggerchanges(scalinginorout)tothenumberofAmazonEC2instancescurrentlyreceivingtrafficbehindaloadbalancer.AftertheAmazonCloudWatchalarmsendsamessagetotheAutoScalinggroup,AutoScalingexecutestheassociatedpolicytoscaleyourgroup.ThepolicyisasetofinstructionsthattellsAutoScalingwhethertoscaleout,launchingnewAmazonEC2instancesreferencedintheassociatedlaunchconfiguration,ortoscaleinandterminateinstances.
Thereareseveralwaystoconfigureascalingpolicy:Youcanincreaseordecreasebyaspecificnumberofinstances,suchasaddingtwoinstances;youcantargetaspecificnumberofinstances,suchasamaximumoffivetotalAmazonEC2instances;oryoucanadjustbasedonapercentage.Youcanalsoscalebystepsandincreaseordecreasethecurrentcapacityofthegroupbasedonasetofscalingadjustmentsthatvarybasedonthesizeofthealarmthresholdtrigger.
YoucanassociatemorethanonescalingpolicywithanAutoScalinggroup.Forexample,youcancreateapolicyusingthetriggerforCPUutilization,calledCPULoad,andtheCloudWatchmetricCPUUtilizationtospecifyscalingoutifCPUutilizationisgreaterthan75percentfortwominutes.YoucouldattachanotherpolicytothesameAutoScalinggrouptoscaleinifCPUutilizationislessthan40percentfor20minutes.
ThefollowingCLIcommandswillcreatethescalingpolicyjustdescribed.
>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG--policy-name
CPULoadScaleOut--scaling-adjustment1--adjustment-typeChangeInCapacity--
cooldown30>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG-
-policy-nameCPULoadScaleIn--scaling-adjustment-1--adjustment-type
ChangeInCapacity--cooldown600
ThefollowingCLIcommandswillassociateAmazonCloudWatchalarmsforscalingoutandscalinginwiththescalingpolicy,asshowninFigure5.2.Inthisexample,theAmazonCloudWatchalarmsreferencethescalingpolicybyAmazonResourceName(ARN).
FIGURE5.2AutoScalinggroupwithpolicy
>awscloudwatchput-metric-alarm--alarmnamecapacityAdd--metric-name
CPUUtilization--namespaceAWS/EC2--statisticAverage–-period300--threshold75
--comparison-operatorGreaterThanOrEqualToThreshold--dimensions
"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:12345678-90ab-cdef-
1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleOut--unitPercent
>awscloudwatchput-metric-alarm--alarmnamecapacityReduce--metric-name
CPUUtilization--namespaceAWS/EC2--statisticAverage--period1200--threshold40
--comparison-operatorGreaterThanOrEqualToThreshold--dimensions
"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions
arn:aws:autoscaling:us-east-1:123456789011:scalingPolicy:11345678-90ab-cdef-
1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleIn--unitPercent
IfthescalingpolicydefinedinthepreviousparagraphisassociatedwiththeAutoScalinggroupnamedmyASG,andtheCPUutilizationisover75percentformorethanfiveminutes,asshowninFigure5.3,anewAmazonEC2instancewillbelaunchedandattachedtotheloadbalancernamedmyELB.
FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout
ArecommendedbestpracticeistoscaleoutquicklyandscaleinslowlysoyoucanrespondtoburstsorspikesbutavoidinadvertentlyterminatingAmazonEC2instancestooquickly,onlyhavingtolaunchmoreAmazonEC2instancesiftheburstissustained.AutoScalingalsosupportsacooldownperiod,whichisaconfigurablesettingthatdetermineswhentosuspendscalingactivitiesforashorttimeforanAutoScalinggroup.
IfyoustartanAmazonEC2instance,youwillbebilledforonefullhourofrunningtime.Partialinstancehoursconsumedarebilledasfullhours.Thismeansthatifyouhaveapermissivescalingpolicythatlaunches,terminates,andrelaunchesmanyinstancesanhour,youarebillingafullhourforeachandeveryinstanceyoulaunch,evenifyouterminatesomeofthoseinstancesinlessthanhour.ArecommendedbestpracticeforcosteffectivenessistoscaleoutquicklywhenneededbutscaleinmoreslowlytoavoidhavingtorelaunchnewandseparateAmazonEC2instancesforaspikeinworkloaddemandthatfluctuatesupanddownwithinminutesbutgenerallycontinuestoneedmoreresourceswithinanhour.
Scaleoutquickly;scaleinslowly.
ItisimportanttoconsiderbootstrappingforAmazonEC2instanceslaunchedusingAutoScaling.IttakestimetoconfigureeachnewlylaunchedAmazonEC2instancebeforetheinstanceishealthyandcapableofacceptingtraffic.Instancesthatstartandareavailableforloadfastercanjointhecapacitypoolmorequickly.Furthermore,instancesthataremorestatelessinsteadofstatefulwillmoregracefullyenterandexitanAutoScalinggroup.
RollingOutaPatchatScale
InlargedeploymentsofAmazonEC2instances,AutoScalingcanbeusedtomakerollingoutapatchtoyourinstanceseasy.ThelaunchconfigurationassociatedwiththeAutoScalinggroupmaybemodifiedtoreferenceanewAMIandevenanewAmazonEC2instanceifneeded.Thenyoucanderegisterorterminateinstancesoneatatimeorinsmallgroups,andthenewAmazonEC2instanceswillreferencethenewpatchedAMI.
SummaryThischapterintroducedthreeservices:
ElasticLoadBalancing,whichisusedtodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZonestoachievegreaterlevelsoffaulttoleranceforyourapplications.
AmazonCloudWatch,whichmonitorsresourcesandapplications.AmazonCloudWatchisusedtocollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestoresourcesbeingmonitoredbasedonrulesyoudefine.
AutoScaling,whichallowsyoutoautomaticallyscaleyourAmazonEC2capacityoutandinusingcriteriathatyoudefine.
ThesethreeservicescanbeusedveryeffectivelytogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.
ExamEssentialsUnderstandwhattheElasticLoadBalancingserviceprovides.ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonEC2instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.
KnowthetypesofloadbalancerstheElasticLoadBalancingserviceprovidesandwhentouseeachone.AnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.
AninternalloadbalancerisusedtoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.
AnHTTPSloadbalancerisusedwhenyouwanttoencryptdatabetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessionsandforconnectionsbetweenyourloadbalancerandyourback-endinstances.
KnowthetypesoflistenerstheElasticLoadBalancingserviceprovidesandtheusecaseandrequirementsforusingeachone.Alistenerisaprocessthatchecksforconnectionrequests.Itisconfiguredwithaprotocolandaportforfront-end(clienttoloadbalancer)connectionsandaprotocolandaportforback-end(loadbalancertoback-endinstance)connections.
UnderstandtheconfigurationoptionsforElasticLoadBalancing.ElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.
KnowwhatanElasticLoadBalancinghealthcheckisandwhyitisimportant.ElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.
UnderstandwhattheamazonCloudWatchserviceprovidesandwhatusecasesthereareforusingit.AmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.
Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.
Knowthedifferencesbetweenthetwotypesofmonitoring—basicanddetailed—forAmazonCloudWatch.AmazonCloudWatchoffersbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforan
additionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.
UnderstandAutoScalingandwhyitisanimportantadvantageoftheAWSCloud.Adistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.
KnowwhenandwhytouseAutoScaling.AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.
KnowthesupportedAutoScalingplans.AutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.TheAutoScalingplansarenamedMaintainCurrentInstantLevels,ManualScaling,ScheduledScaling,andDynamicScaling.
UnderstandhowtobuildanAutoScalinglaunchconfigurationandanAutoScalinggroupandwhateachisusedfor.AlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstancesandiscomposedoftheconfigurationname,AMI,AmazonEC2instancetype,securitygroup,andinstancekeypair.
Knowwhatascalingpolicyisandwhatusecasestouseitfor.AscalingpolicyisusedbyAutoScalingwithCloudWatchalarmstodeterminewhenyourAutoScalinggroupshouldscaleoutorscalein.EachCloudWatchalarmwatchesasinglemetricandsendsmessagestoAutoScalingwhenthemetricbreachesathresholdthatyouspecifyinyourpolicy.
UnderstandhowElasticLoadBalancing,amazonCloudWatch,andAutoScalingareusedtogethertoprovidedynamicscaling.ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingcanbeusedtogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.
ExercisesForassistanceincompletingthefollowingexercises,refertotheElasticLoadBalancingDeveloperGuidelocatedathttp://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-
balancing.html,theAmazonCloudWatchDeveloperGuideathttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html
andtheAutoScalingUserGuideathttp://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html.
EXERCISE5.1
CreateanElasticLoadBalancingLoadBalancerInthisexercise,youwillusetheAWSManagementConsoletocreateanElasticLoadBalancingloadbalancer.
1. LaunchanAmazonEC2instanceusinganAMIwithawebserveronit,orinstallandconfigureawebserver.
2. CreateastaticpagetodisplayandahealthcheckpagethatreturnsHTTP200.ConfiguretheAmazonEC2instancetoaccepttrafficoverport80.
3. RegistertheAmazonEC2instancewiththeElasticLoadBalancingloadbalancer,andconfigureittousethehealthcheckpagetoevaluatethehealthoftheinstance.
EXERCISE5.2
UseanAmazonCloudWatchMetric1. LaunchanAmazonEC2instance.
2. UseanexistingAmazonCloudWatchmetrictomonitoravalue.
EXERCISE5.3
CreateaCustomAmazonCloudWatchMetric1. CreateacustomAmazonCloudWatchmetricformemoryconsumption.
2. UsetheCLItoPUTvaluesintothemetric.
EXERCISE5.4
CreateaLaunchConfigurationandAutoScalingGroup1. UsingtheAWSManagementConsole,createalaunchconfigurationusinganexistingAMI.
2. CreateanAutoScalinggroupusingthislaunchconfigurationwithagroupsizeoffourandspanningtwoAvailabilityZones.Donotuseascalingpolicy.Keepthegroupatitsinitialsize.
3. ManuallyterminateanAmazonEC2instance,andobserveAutoScalinglaunchanewAmazonEC2instance.
EXERCISE5.5
CreateaScalingPolicy1. CreateanAmazonCloudWatchmetricandalarmforCPUutilizationusingtheAWSManagementConsole.
2. UsingtheAutoScalinggroupfromExercise5.4,edittheAutoScalinggrouptoincludeapolicythatusestheCPUutilizationalarm.
3. DriveCPUutilizationonthemonitoredAmazonEC2instance(s)uptoobserveAutoScaling.
EXERCISE5.6
CreateaWebApplicationThatScales1. CreateasmallwebapplicationarchitectedwithanElasticLoadBalancingloadbalancer,anAutoScalinggroupspanningtwoAvailabilityZonesthatusesanAmazonCloudWatchmetric,andanalarmattachedtoascalingpolicyusedbytheAutoScalinggroup.
2. VerifythatAutoScalingisoperatingcorrectlybyremovinginstancesanddrivingthemetricupanddowntoforceAutoScaling.
ReviewQuestions1. WhichofthefollowingarerequiredelementsofanAutoScalinggroup?(Choose2answers)
A. Minimumsize
B. Healthchecks
C. Desiredcapacity
D. Launchconfiguration
2. YouhavecreatedanElasticLoadBalancingloadbalancerlisteningonport80,andyouregistereditwithasingleAmazonElasticComputeCloud(AmazonEC2)instancealsolisteningonport80.Aclientmakesarequesttotheloadbalancerwiththecorrectprotocolandportfortheloadbalancer.Inthisscenario,howmanyconnectionsdoesthebalancermaintain?
A. 1
B. 2
C. 3
D. 4
3. HowlongdoesAmazonCloudWatchkeepmetricdata?
A. 1day
B. 2days
C. 1week
D. 2weeks
4. WhichofthefollowingaretheminimumrequiredelementstocreateanAutoScalinglaunchconfiguration?
A. Launchconfigurationname,AmazonMachineImage(AMI),andinstancetype
B. Launchconfigurationname,AMI,instancetype,andkeypair
C. Launchconfigurationname,AMI,instancetype,keypair,andsecuritygroup
D. Launchconfigurationname,AMI,instancetype,keypair,securitygroup,andblockdevicemapping
5. Youareresponsiblefortheapplicationloggingsolutionforyourcompany’sexistingapplicationsrunningonmultipleAmazonEC2instances.WhichofthefollowingisthebestapproachforaggregatingtheapplicationlogswithinAWS?
A. AmazonCloudWatchcustommetrics
B. AmazonCloudWatchLogsAgent
C. AnElasticLoadBalancinglistener
D. AninternalElasticLoadBalancingloadbalancer
6. WhichofthefollowingmustbeconfiguredonanElasticLoadBalancingloadbalancertoacceptincomingtraffic?
A. Aport
B. Anetworkinterface
C. Alistener
D. Aninstance
7. YoucreateanAutoScalinggroupinanewregionthatisconfiguredwithaminimumsizevalueof10,amaximumsizevalueof100,andadesiredcapacityvalueof50.However,younoticethat30oftheAmazonElasticComputeCloud(AmazonEC2)instanceswithintheAutoScalinggroupfailtolaunch.Whichofthefollowingisthecauseofthisbehavior?
A. YoucannotdefineanAutoScalinggrouplargerthan20.
B. TheAutoScalinggroupmaximumvaluecannotbemorethan20.
C. YoudidnotattachanElasticLoadBalancingloadbalancertotheAutoScalinggroup.
D. YouhavenotraisedyourdefaultAmazonEC2capacity(20)forthenewregion.
8. YouwanttohostmultipleHypertextTransferProtocolSecure(HTTPS)websitesonafleetofAmazonEC2instancesbehindanElasticLoadBalancingloadbalancerwithasingleX.509certificate.HowmustyouconfiguretheSecureSocketsLayer(SSL)certificatesothatclientsconnectingtotheloadbalancerarenotpresentedwithawarningwhentheyconnect?
A. CreateoneSSLcertificatewithaSubjectAlternativeName(SAN)valueforeachwebsitename.
B. CreateoneSSLcertificatewiththeServerNameIndication(SNI)valuechecked.
C. CreatemultipleSSLcertificateswithaSANvalueforeachwebsitename.
D. CreateSSLcertificatesforeachAvailabilityZonewithaSANvalueforeachwebsitename.
9. YourwebapplicationfrontendconsistsofmultipleAmazonComputeCloud(AmazonEC2)instancesbehindanElasticLoadBalancingloadbalancer.YouhaveconfiguredtheloadbalancertoperformhealthchecksontheseAmazonEC2instances.Ifaninstancefailstopasshealthchecks,whichstatementwillbetrue?
A. Theinstanceisreplacedautomaticallybytheloadbalancer.
B. Theinstanceisterminatedautomaticallybytheloadbalancer.
C. Theloadbalancerstopssendingtraffictotheinstancethatfaileditshealthcheck.
D. Theinstanceisquarantinedbytheloadbalancerforrootcauseanalysis.
10. InthebasicmonitoringpackageforAmazonElasticComputeCloud(AmazonEC2),whatAmazonCloudWatchmetricsareavailable?
A. Webservervisiblemetricssuchasnumberoffailedtransactionrequests
B. Operatingsystemvisiblemetricssuchasmemoryutilization
C. Databasevisiblemetricssuchasnumberofconnections
D. HypervisorvisiblemetricssuchasCPUutilization
11. Acellphonecompanyisrunningdynamic-contenttelevisioncommercialsforacontest.Theywanttheirwebsitetohandletrafficspikesthatcomeafteracommercialairs.Thewebsiteisinteractive,offeringpersonalizedcontenttoeachvisitorbasedonlocation,purchasehistory,andthecurrentcommercialairing.WhicharchitecturewillconfigureAutoScalingtoscaleouttorespondtospikesofdemand,whileminimizingcostsduringquietperiods?
A. SettheminimumsizeoftheAutoScalinggroupsothatitcanhandlehightrafficvolumeswithoutneedingtoscaleout.
B. CreateanAutoScalinggrouplargeenoughtohandlepeaktrafficloads,andthenstopsomeinstances.ConfigureAutoScalingtoscaleoutwhentrafficincreasesusingthestoppedinstances,sonewcapacitywillcomeonlinequickly.
C. ConfigureAutoScalingtoscaleoutastrafficincreases.ConfigurethelaunchconfigurationtostartnewinstancesfromapreconfiguredAmazonMachineImage(AMI).
D. UseAmazonCloudFrontandAmazonSimpleStorageService(AmazonS3)tocachechangingcontent,withtheAutoScalinggroupsetastheorigin.ConfigureAutoScalingtohavesufficientinstancesnecessarytoinitiallypopulateCloudFrontandAmazonElastiCache,andthenscaleinafterthecacheisfullypopulated.
12. Foranapplicationrunningintheap-northeast-1regionwiththreeAvailabilityZones(ap-northeast-1a,ap-northeast-1b,andap-northeast-1c),whichinstancedeploymentprovideshighavailabilityfortheapplicationthatnormallyrequiresninerunningAmazonElasticComputeCloud(AmazonEC2)instancesbutcanrunonaminimumof65percentcapacitywhileAutoScalinglaunchesreplacementinstancesintheremainingAvailabilityZones?
A. Deploytheapplicationonfourserversinap-northeast-1aandfiveserversinap-northeast-1b,andkeepfivestoppedinstancesinap-northeast-1aasreserve.
B. Deploytheapplicationonthreeserversinap-northeast-1a,threeserversinap-northeast-1b,andthreeserversinap-northeast-1c.
C. Deploytheapplicationonsixserversinap-northeast-1bandthreeserversinap-northeast-1c.
D. Deploytheapplicationonnineserversinap-northeast-1b,andkeepninestoppedinstancesinap-northeast-1aasreserve.
13. WhichofthefollowingarecharacteristicsoftheAutoScalingserviceonAWS?(Choose3answers)
A. Sendstraffictohealthyinstances
B. RespondstochangingconditionsbyaddingorterminatingAmazonElasticCompute
Cloud(AmazonEC2)instances
C. Collectsandtracksmetricsandsetsalarms
D. Deliverspushnotifications
E. LaunchesinstancesfromaspecifiedAmazonMachineImage(AMI)
F. EnforcesaminimumnumberofrunningAmazonEC2instances
14. WhyisthelaunchconfigurationreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup?
A. ItallowsyoutochangetheAmazonElasticComputeCloud(AmazonEC2)instancetypeandAmazonMachineImage(AMI)withoutdisruptingtheAutoScalinggroup.
B. ItfacilitatesrollingoutapatchtoanexistingsetofinstancesmanagedbyanAutoScalinggroup.
C. ItallowsyoutochangesecuritygroupsassociatedwiththeinstanceslaunchedwithouthavingtomakechangestotheAutoScalinggroup.
D. Alloftheabove
E. Noneoftheabove
15. AnAutoScalinggroupmayuse:(Choose2answers)
A. On-DemandInstances
B. Stoppedinstances
C. SpotInstances
D. On-premisesinstances
E. AlreadyrunninginstancesiftheyusethesameAmazonMachineImage(AMI)astheAutoScalinggroup’slaunchconfigurationandarenotalreadypartofanotherAutoScalinggroup
16. AmazonCloudWatchsupportswhichtypesofmonitoringplans?(Choose2answers)
A. Basicmonitoring,whichisfree
B. Basicmonitoring,whichhasanadditionalcost
C. Adhocmonitoring,whichisfree
D. Adhocmonitoring,whichhasanadditionalcost
E. Detailedmonitoring,whichisfree
F. Detailedmonitoring,whichhasanadditionalcost
17. ElasticLoadBalancinghealthchecksmaybe:(Choose3answers)
A. Aping
B. Akeypairverification
C. Aconnectionattempt
D. Apagerequest
E. AnAmazonElasticComputeCloud(AmazonEC2)instancestatuscheck
18. WhenanAmazonElasticComputeCloud(AmazonEC2)instanceregisteredwithanElasticLoadBalancingloadbalancerusingconnectiondrainingisderegisteredorunhealthy,whichofthefollowingwillhappen?(Choose2answers)
A. Immediatelycloseallexistingconnectionstothatinstance.
B. Keeptheconnectionsopentothatinstance,andattempttocompletein-flightrequests.
C. Redirecttherequeststoauser-definederrorpagelike“Oopsthisisembarrassing”or“UnderConstruction.”
D. Forciblycloseallconnectionstothatinstanceafteratimeoutperiod.
E. Leavetheconnectionsopenaslongastheloadbalancerisrunning.
19. ElasticLoadBalancingsupportswhichofthefollowingtypesofloadbalancers?(Choose3answers)
A. Cross-region
B. Internet-facing
C. Interim
D. Itinerant
E. Internal
F. HypertextTransferProtocolSecure(HTTPS)usingSecureSocketsLayer(SSL)
20. AutoScalingsupportswhichofthefollowingplansforAutoScalinggroups?(Choose3answers)
A. Predictive
B. Manual
C. Preemptive
D. Scheduled
E. Dynamic
F. End-userrequestdriven
G. Optimistic
Chapter6AWSIdentityandAccessManagement(IAM)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,ElasticBeanstalk,CloudFormation,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
ConfigureIAMpoliciesandbestpractices
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSIdentityandAccessManagement(IAM)
IntroductionInthischapter,youwilllearnhowAWSIdentityandAccessManagement(IAM)securesinteractionswiththeAWSresourcesinyouraccount,including:
WhichprincipalsinteractwithAWSthroughtheAWSManagementConsole,CommandLineInterface(CLI),andSoftwareDevelopmentKits(SDKs)
Howeachprincipalisauthenticated
HowIAMpoliciesarewrittentospecifytheaccessprivilegesofprincipals
HowIAMpoliciesareassociatedwithprincipals
HowtosecureyourinfrastructurefurtherthroughMulti-FactorAuthentication(MFA)andkeyrotation
HowIAMrolescanbeusedtodelegatepermissionsandfederateusers
Howtoresolvemultiple,possiblyconflictingIAMpermissions
IAMisapowerfulservicethatallowsyoutocontrolhowpeopleandprogramsareallowedtomanipulateyourAWSinfrastructure.IAMusestraditionalidentityconceptssuchasusers,groups,andaccesscontrolpoliciestocontrolwhocanuseyourAWSaccount,whatservicesandresourcestheycanuse,andhowtheycanusethem.ThecontrolprovidedbyIAMisgranularenoughtolimitasingleusertotheabilitytoperformasingleactiononaspecificresourcefromaspecificIPaddressduringaspecifictimewindow.ApplicationscanbegrantedaccesstoAWSresourceswhethertheyarerunningon-premisesorinthecloud.ThisflexibilitycreatesaverypowerfulsystemthatwillgiveyouallthepoweryouneedtoensurethatyourAWSaccountusershavetheabilitytomeetyourbusinessneedswhileaddressingallofthesecurityconcernsofyourorganization.
ThischapterwillcoverthedifferentprincipalsthatcaninteractwithAWSandhowtheyareauthenticated.Itwillthendiscusshowtowritepoliciesthatdefinepermittedaccesstoservices,actions,andresourcesandassociatethesepolicieswithauthenticatedprincipals.Finally,itwillcoveradditionalfeaturesofIAMthatwillhelpyousecureyourinfrastructure,includingMFA,rotatingkeys,federation,resolvingmultiplepermissions,andusingIAMroles.
AsimportantasitistoknowwhatIAMisexactly,itisequallyimportanttounderstandwhatitisnot:
First,IAMisnotanidentitystore/authorizationsystemforyourapplications.ThepermissionsthatyouassignarepermissionstomanipulateAWSinfrastructure,notpermissionswithinyourapplication.Ifyouaremigratinganexistingon-premisesapplicationthatalreadyhasitsownuserrepositoryandauthentication/authorizationmechanism,thenthatshouldcontinuetoworkwhenyoudeployonAWSandisprobablytherightchoice.IfyourapplicationidentitiesarebasedonActiveDirectory,youron-premisesActiveDirectorycanbeextendedintothecloudtocontinuetofillthatneed.AgreatsolutionforusingActiveDirectoryinthecloudisAWSDirectoryService,whichisanActiveDirectory-compatibledirectoryservicethatcanworkonitsownorintegratewithyouron-premisesActiveDirectory.Finally,ifyouareworkingwithamobileapp,considerAmazonCognitoforidentitymanagementformobileapplications.
Second,IAMisnotoperatingsystemidentitymanagement.Rememberthatunderthesharedresponsibilitymodel,youareincontrolofyouroperatingsystemconsoleandconfiguration.WhatevermechanismyoucurrentlyusetocontrolaccesstoyourserverinfrastructurewillcontinuetoworkonAmazonElasticComputeCloud(AmazonEC2)instances,whetherthatismanagingindividualmachineloginaccountsoradirectoryservicesuchasActiveDirectoryorLightweightDirectoryAccessProtocol(LDAP).YoucanrunanActiveDirectoryorLDAPserveronAmazonEC2,oryoucanextendyouron-premisessystemintothecloud.AWSDirectoryServicewillalsoworkwelltoprovideActiveDirectoryfunctionalityinthecloudasaservice,whetherstandaloneorintegratedwithyourexistingActiveDirectory.
Table6.1summarizestherolethatdifferentauthenticationsystemscanplayinyourAWSenvironment.
TABLE6.1AuthenticationTechnologies
UseCase TechnologySolutions
OperatingSystemAccess ActiveDirectoryLDAPMachine-specificaccounts
ApplicationAccess ActiveDirectoryApplicationUserRepositoriesAmazonCognito
AWSResources IAM
IAMiscontrolledlikemostotherAWSCloudservices:
ThroughtheAWSManagementConsole—Likeotherservices,theAWSManagementConsoleistheeasiestwaytostartlearningaboutandmanipulatingaservice.
WiththeCLI—Asyoulearnthesystem,youcanstartscriptingrepeatedtasksusingtheCLI.
ViatheAWSSDKs—EventuallyyoumaystartwritingyourowntoolsandcomplexprocessesbymanipulatingIAMdirectlythroughtheRESTAPIviaoneofseveralSDKs.
AllofthesemethodsworktocontrolIAMjustastheyworkwithotherservices.Inaddition,theAWSPartnerNetwork(APN)includesarichecosystemoftoolstomanageandextendIAM.
PrincipalsThefirstIAMconcepttounderstandisprincipals.AprincipalisanIAMentitythatisallowedtointeractwithAWSresources.Aprincipalcanbepermanentortemporary,anditcanrepresentahumanoranapplication.Therearethreetypesofprincipals:rootusers,IAMusers,androles/temporarysecuritytokens.
RootUserWhenyoufirstcreateanAWSaccount,youbeginwithonlyasinglesign-inprincipalthathascompleteaccesstoallAWSCloudservicesandresourcesintheaccount.Thisprincipaliscalledtherootuser.AslongasyouhaveanopenaccountwithAWS,therootuserforthatrelationshipwillpersist.TherootusercanbeusedforbothconsoleandprogrammaticaccesstoAWSresources.
TherootuserissimilarinconcepttotheUNIXrootorWindowsAdministratoraccount—ithasfullprivilegestodoanythingintheaccount,includingclosingtheaccount.Itisstronglyrecommendedthatyoudonotusetherootuserforyoureverydaytasks,eventheadministrativeones.Instead,adheretothebestpracticeofusingtherootuseronlytocreateyourfirstIAMuserandthensecurelylockingawaytherootusercredentials.
IAMUsersUsersarepersistentidentitiessetupthroughtheIAMservicetorepresentindividualpeopleorapplications.YoumaycreateseparateIAMusersforeachmemberofyouroperationsteamsotheycaninteractwiththeconsoleandusetheCLI.Youmightalsocreatedev,test,andproductionusersforapplicationsthatneedtoaccessAWSCloudservices(althoughyouwillseelaterinthischapterthatIAMrolesmaybeabettersolutionforthatusecase).
IAMuserscanbecreatedbyprincipalswithIAMadministrativeprivilegesatanytimethroughtheAWSManagementConsole,CLI,orSDKs.Usersarepersistentinthatthereisnoexpirationperiod;theyarepermanententitiesthatexistuntilanIAMadministratortakesanactiontodeletethem.
Usersareanexcellentwaytoenforcetheprincipleofleastprivilege;thatis,theconceptofallowingapersonorprocessinteractingwithyourAWSresourcestoperformexactlythetaskstheyneedbutnothingelse.Userscanbeassociatedwithverygranularpoliciesthatdefinethesepermissions.Policieswillbecoveredinalatersection.
Roles/TemporarySecurityTokensRolesandtemporarysecuritytokensareveryimportantforadvancedIAMusage,butmanyAWSusersfindthemconfusing.Rolesareusedtograntspecificprivilegestospecificactorsforasetdurationoftime.TheseactorscanbeauthenticatedbyAWSorsometrustedexternalsystem.Whenoneoftheseactorsassumesarole,AWSprovidestheactorwithatemporarysecuritytokenfromtheAWSSecurityTokenService(STS)thattheactorcanusetoaccess
AWSCloudservices.Requestingatemporarysecuritytokenrequiresspecifyinghowlongthetokenwillexistbeforeitexpires.Therangeofatemporarysecuritytokenlifetimeis15minutesto36hours.
Rolesandtemporarysecuritytokensenableanumberofusecases:
AmazonEC2Roles—GrantingpermissionstoapplicationsrunningonanAmazonEC2instance.
Cross-AccountAccess—GrantingpermissionstousersfromotherAWSaccounts,whetheryoucontrolthoseaccountsornot.
Federation—Grantingpermissionstousersauthenticatedbyatrustedexternalsystem.
AmazonEC2RolesGrantingpermissionstoanapplicationisalwaystricky,asitusuallyrequiresconfiguringtheapplicationwithsomesortofcredentialuponinstallation.Thisleadstoissuesaroundsecurelystoringthecredentialpriortouse,howtoaccessitsafelyduringinstallation,andhowtosecureitintheconfiguration.SupposethatanapplicationrunningonanAmazonEC2instanceneedstoaccessanAmazonSimpleStorageService(AmazonS3)bucket.ApolicygrantingpermissiontoreadandwritethatbucketcanbecreatedandassignedtoanIAMuser,andtheapplicationcanusetheaccesskeyforthatIAMusertoaccesstheAmazonS3bucket.Theproblemwiththisapproachisthattheaccesskeyfortheusermustbeaccessibletotheapplication,probablybystoringitinsomesortofconfigurationfile.Theprocessforobtainingtheaccesskeyandstoringitencryptedintheconfigurationisusuallycomplicatedandahindrancetoagiledevelopment.Additionally,theaccesskeyisatriskwhenbeingpassedaround.Finally,whenthetimecomestorotatetheaccesskey,therotationinvolvesperformingthatwholeprocessagain.
UsingIAMrolesforAmazonEC2removestheneedtostoreAWScredentialsinaconfigurationfile.
AnalternativeistocreateanIAMrolethatgrantstherequiredaccesstotheAmazonS3bucket.WhentheAmazonEC2instanceislaunched,theroleisassignedtotheinstance.WhentheapplicationrunningontheinstanceusestheApplicationProgrammingInterface(API)toaccesstheAmazonS3bucket,itassumestheroleassignedtotheinstanceandobtainsatemporarytokenthatitsendstotheAPI.TheprocessofobtainingthetemporarytokenandpassingittotheAPIishandledautomaticallybymostoftheAWSSDKs,allowingtheapplicationtomakeacalltoaccesstheAmazonS3bucketwithoutworryingaboutauthentication.Inadditiontobeingeasyforthedeveloper,thisremovesanyneedtostoreanaccesskeyinaconfigurationfile.Also,becausetheAPIaccessusesatemporarytoken,thereisnofixedaccesskeythatmustberotated.
Cross-AccountAccessAnothercommonusecaseforIAMrolesistograntaccesstoAWSresourcestoIAMusersinotherAWSaccounts.TheseaccountsmaybeotherAWSaccountscontrolledbyyourcompanyoroutsideagentslikecustomersorsuppliers.YoucansetupanIAMrolewiththe
permissionsyouwanttogranttousersintheotheraccount,thenusersintheotheraccountcanassumethatroletoaccessyourresources.Thisishighlyrecommendedasabestpractice,asopposedtodistributingaccesskeysoutsideyourorganization.
FederationManyorganizationsalreadyhaveanidentityrepositoryoutsideofAWSandwouldratherleveragethatrepositorythancreateanewandlargelyduplicaterepositoryofIAMusers.Similarly,web-basedapplicationsmaywanttoleverageweb-basedidentitiessuchasFacebook,Google,orLoginwithAmazon.IAMIdentityProvidersprovidetheabilitytofederatetheseoutsideidentitieswithIAMandassignprivilegestothoseusersauthenticatedoutsideofIAM.
IAMcanintegratewithtwodifferenttypesofoutsideIdentityProviders(IdP).ForfederatingwebidentitiessuchasFacebook,Google,orLoginwithAmazon,IAMsupportsintegrationviaOpenIDConnect(OIDC).ThisallowsIAMtograntprivilegestousersauthenticatedwithsomeofthemajorweb-basedIdPs.Forfederatinginternalidentities,suchasActiveDirectoryorLDAP,IAMsupportsintegrationviaSecurityAssertionMarkupLanguage2.0(SAML).ASAML-compliantIdPsuchasActiveDirectoryFederationServices(ADFS)isusedtofederatetheinternaldirectorytoIAM.(InstructionsforconfiguringmanycompatibleproductscanbefoundontheAWSwebsite.)Ineachcase,federationworksbyreturningatemporarytokenassociatedwitharoletotheIdPfortheauthenticatedidentitytouseforcallstotheAWSAPI.TheactualrolereturnedisdeterminedviainformationreceivedfromtheIdP,eitherattributesoftheuserintheon-premisesidentitystoreortheusernameandauthenticatingserviceofthewebidentitystore.
ThethreetypesofprincipalsandtheirgeneraltraitsarelistedinTable6.2.
TABLE6.2TraitsofAWSPrincipals
Principal Traits
RootUser CannotbelimitedPermanent
IAMUsers AccesscontrolledbypolicyDurableCanberemovedbyIAMadministrator
Roles/TemporarySecurityTokens AccesscontrolledbypolicyTemporaryExpireafterspecifictimeinterval
AuthenticationTherearethreewaysthatIAMauthenticatesaprincipal:
UserName/Password—Whenaprincipalrepresentsahumaninteractingwiththeconsole,thehumanwillprovideausername/passwordpairtoverifytheiridentity.IAMallowsyoutocreateapasswordpolicyenforcingpasswordcomplexityandexpiration.
AccessKey—AnaccesskeyisacombinationofanaccesskeyID(20characters)andanaccesssecretkey(40characters).WhenaprogramismanipulatingtheAWSinfrastructureviatheAPI,itwillusethesevaluestosigntheunderlyingRESTcallstotheservices.TheAWSSDKsandtoolshandlealltheintricaciesofsigningtheRESTcalls,sousinganaccesskeywillalmostalwaysbeamatterofprovidingthevaluestotheSDKortool.
AccessKey/SessionToken—Whenaprocessoperatesunderanassumedrole,thetemporarysecuritytokenprovidesanaccesskeyforauthentication.Inadditiontotheaccesskey(rememberthatitconsistsoftwoparts),thetokenalsoincludesasessiontoken.CallstoAWSmustincludeboththetwo-partaccesskeyandthesessiontokentoauthenticate.
ItisimportanttonotethatwhenanIAMuseriscreated,ithasneitheranaccesskeynorapassword,andtheIAMadministratorcansetupeitherorboth.ThisaddsanextralayerofsecurityinthatconsoleuserscannotusetheircredentialstorunaprogramthataccessesyourAWSinfrastructure.
Figure6.1showsasummaryofthedifferentauthenticationmethods.
FIGURE6.1DifferentidentitiesauthenticatingwithAWS
AuthorizationAfterIAMhasauthenticatedaprincipal,itmustthenmanagetheaccessofthatprincipaltoprotectyourAWSinfrastructure.Theprocessofspecifyingexactlywhatactionsaprincipalcanandcannotperformiscalledauthorization.AuthorizationishandledinIAMbydefiningspecificprivilegesinpoliciesandassociatingthosepolicieswithprincipals.
PoliciesUnderstandinghowaccessmanagementworksunderIAMbeginswithunderstandingpolicies.ApolicyisaJSONdocumentthatfullydefinesasetofpermissionstoaccessandmanipulateAWSresources.Policydocumentscontainoneormorepermissions,witheachpermissiondefining:
Effect—Asingleword:AlloworDeny.
Service—Forwhatservicedoesthispermissionapply?MostAWSCloudservicessupportgrantingaccessthroughIAM,includingIAMitself.
Resource—TheresourcevaluespecifiesthespecificAWSinfrastructureforwhichthispermissionapplies.ThisisspecifiedasanAmazonResourceName(ARN).TheformatforanARNvariesslightlybetweenservices,butthebasicformatis:
"arn:aws:service:region:account-id:[resourcetype:]resource"
Forsomeservices,wildcardvaluesareallowed;forinstance,anAmazonS3ARNcouldhavearesourceoffoldername\*toindicateallobjectsinthespecifiedfolder.Table6.3displayssomesampleARNs.
TABLE6.3SampleARNs
Resource ARNFormat
AmazonS3Bucket arn:aws:s3:us-east-1:123456789012:my_corporate_bucket/*
IAMUser arn:aws:iam:us-east-1:123456789012:user/David
AmazonDynamoDBTable arn:aws:dynamodb:us-east-1:123456789012:table/tablename
Action—Theactionvaluespecifiesthesubsetofactionswithinaservicethatthepermissionallowsordenies.Forinstance,apermissionmaygrantaccesstoanyread-basedactionforAmazonS3.Asetofactionscanbespecifiedwithanenumeratedlistorbyusingwildcards(Read*).
Condition—Theconditionvalueoptionallydefinesoneormoreadditionalrestrictionsthatlimittheactionsallowedbythepermission.Forinstance,thepermissionmightcontainaconditionthatlimitstheabilitytoaccessaresourcetocallsthatcomefromaspecificIPaddressrange.Anotherconditioncouldrestrictthepermissiononlytoapplyduringaspecifictimeinterval.Therearemanytypesofpermissionsthatallowarichvarietyoffunctionalitythatvariesbetweenservices.SeetheIAMdocumentationforlistsofsupportedconditionsforeachservice.
Asamplepolicyisshowninthefollowinglisting.Thispolicyallowsaprincipaltolistthe
objectsinaspecificbucketandtoretrievethoseobjects,butonlyifthecallcomesfromaspecificIPaddress.
{
"Version":"2012–10–17",
"Statement":[
{
"Sid":"Stmt1441716043000",
"Effect":"Allow", <-Thispolicygrantsaccess
"Action":[<-Allowsidentitiestolist
"s3:GetObject",<-andgetobjectsin
"s3:ListBucket"<-theS3bucket
],
"Condition":{
"IpAddress":{ <-Onlyfromaspecific
"aws:SourceIp":"192.168.0.1" <-IPAddress
}
},
"Resource":[
"arn:aws:s3:::my_public_bucket/*" <-Onlythisbucket
]
}
]
}
AssociatingPolicieswithPrincipalsThereareseveralwaystoassociateapolicywithanIAMuser;thissectionwillonlycoverthemostcommon.
ApolicycanbeassociateddirectlywithanIAMuserinoneoftwoways:
UserPolicy—Thesepoliciesexistonlyinthecontextoftheusertowhichtheyareattached.Intheconsole,auserpolicyisenteredintotheuserinterfaceontheIAMuserpage.
ManagedPolicies—ThesepoliciesarecreatedinthePoliciestabontheIAMpage(orthroughtheCLI,andsoforth)andexistindependentlyofanyindividualuser.Inthisway,thesamepolicycanbeassociatedwithmanyusersorgroupsofusers.TherearealargenumberofpredefinedmanagedpoliciesthatyoucanreviewonthePoliciestaboftheIAMpageintheAWSManagementConsole.Inaddition,youcanwriteyourownpoliciesspecifictoyourusecases.
Usingpredefinedmanagedpoliciesensuresthatwhennewpermissionsareaddedfornewfeatures,youruserswillstillhavethecorrectaccess.
TheothercommonmethodforassociatingpolicieswithusersiswiththeIAMgroupsfeature.Groupssimplifymanagingpermissionsforlargenumbersofusers.Afterapolicyisassignedtoagroup,anyuserwhoisamemberofthatgroupassumesthosepermissions.Thismakesitsimplertoassignpoliciestoanentireteaminyourorganization.Forinstance,ifyoucreatean“Operations”groupwitheveryIAMuserforyouroperationsteamassignedtothatgroup,thenitisasimplemattertoassociatetheneededpermissionstothegroup,andallofthe
team’sIAMuserswillassumethosepermissions.NewIAMuserscanthenbeassigneddirectlytothegroup.
ThisisamuchsimplermanagementprocessthanhavingtoreviewwhatpoliciesanewIAMuserfortheoperationsteamshouldreceiveandmanuallyaddingthosepoliciestotheuser.TherearetwowaysapolicycanbeassociatedwithanIAMgroup:
GroupPolicy—Thesepoliciesexistonlyinthecontextofthegrouptowhichtheyareattached.IntheAWSManagementConsole,agrouppolicyisenteredintotheuserinterfaceontheIAMGrouppage.
ManagedPolicies—Inthesamewaythatmanagedpolicies(discussedinthe“Authorization”section)canbeassociatedwithIAMusers,theycanalsobeassociatedwithIAMgroups.
Figure6.2showsthedifferentwaysthatpolicescanbeassociatedwithanIAMUser.
FIGURE6.2AssociatingIAMuserswithpolicies
AgoodfirststepistousetherootusertocreateanewIAMgroupcalled“IAMAdministrators”andassignthemanagedpolicy,“IAMFullAccess.”ThencreateanewIAMusercalled“Administrator,”assignapassword,andaddittotheIAMAdministratorsgroup.Atthispoint,youcanlogoffastherootuserandperformallfurtheradministrationwiththeIAMuseraccount.
Thefinalwayanactorcanbeassociatedwithapolicyisbyassumingarole.Inthiscase,theactorcanbe:
AnauthenticatedIAMuser(personorprocess).Inthiscase,theIAMusermusthavetherightstoassumetherole.
ApersonorprocessauthenticatedbyatrustedserviceoutsideofAWS,suchasanon-premisesLDAPdirectoryorawebauthenticationservice.Inthissituation,anAWSCloudservicewillassumetheroleontheactor’sbehalfandreturnatokentotheactor.
Afteranactorhasassumedarole,itisprovidedwithatemporarysecuritytokenassociatedwiththepoliciesofthatrole.ThetokencontainsalltheinformationrequiredtoauthenticateAPIcalls.Thisinformationincludesastandardaccesskeyplusanadditionalsessiontokenrequiredforauthenticatingcallsunderanassumedrole.
OtherKeyFeaturesBeyondthecriticalconceptsofprincipals,authentication,andauthorization,thereareseveralotherfeaturesoftheIAMservicethatareimportanttounderstandtorealizethefullbenefitsofIAM.
Multi-FactorAuthentication(MFA)Multi-FactorAuthentication(MFA)canaddanextralayerofsecuritytoyourinfrastructurebyaddingasecondmethodofauthenticationbeyondjustapasswordoraccesskey.WithMFA,authenticationalsorequiresenteringaOne-TimePassword(OTP)fromasmalldevice.TheMFAdevicecanbeeitherasmallhardwaredeviceyoucarrywithyouoravirtualdeviceviaanapponyoursmartphone(forexample,theAWSVirtualMFAapp).
MFArequiresyoutoverifyyouridentitywithbothsomethingyouknowandsomethingyouhave.
MFAcanbeassignedtoanyIAMuseraccount,whethertheaccountrepresentsapersonorapplication.WhenapersonusinganIAMuserconfiguredwithMFAattemptstoaccesstheAWSManagementConsole,afterprovidingtheirpasswordtheywillbepromptedtoenterthecurrentcodedisplayedontheirMFAdevicebeforebeinggrantedaccess.AnapplicationusinganIAMuserconfiguredwithMFAmustquerytheapplicationusertoprovidethecurrentcode,whichtheapplicationwillthenpasstotheAPI.
ItisstronglyrecommendedthatAWScustomersaddMFAprotectiontotheirrootuser.
RotatingKeysThesecurityriskofanycredentialincreaseswiththeageofthecredential.Tothisend,itisasecuritybestpracticetorotateaccesskeysassociatedwithyourIAMusers.IAMfacilitatesthisprocessbyallowingtwoactiveaccesskeysatatime.Theprocesstorotatekeyscanbeconductedviatheconsole,CLI,orSDKs:
1. Createanewaccesskeyfortheuser.
2. Reconfigureallapplicationstousethenewaccesskey.
3. Disabletheoriginalaccesskey(disablinginsteadofdeletingatthisstageiscritical,asitallowsrollbacktotheoriginalkeyifthereareissueswiththerotation).
4. Verifytheoperationofallapplications.
5. Deletetheoriginalaccesskey.
Accesskeysshouldberotatedonaregularschedule.
ResolvingMultiplePermissions
Occasionally,multiplepermissionswillbeapplicablewhendeterminingwhetheraprincipalhastheprivilegetoperformsomeaction.ThesepermissionsmaycomefrommultiplepoliciesassociatedwithaprincipalorresourcepoliciesattachedtotheAWSresourceinquestion.Itisimportanttoknowhowconflictsbetweenthesepermissionsareresolved:
1. Initiallytherequestisdeniedbydefault.
2. Alltheappropriatepoliciesareevaluated;ifthereisanexplicit“deny”foundinanypolicy,therequestisdeniedandevaluationstops.
3. Ifnoexplicit“deny”isfoundandanexplicit“allow”isfoundinanypolicy,therequestisallowed.
4. Iftherearenoexplicit“allow”or“deny”permissionsfound,thenthedefault“deny”ismaintainedandtherequestisdenied.
TheonlyexceptiontothisruleisifanAssumeRolecallincludesaroleandapolicy,thepolicycannotexpandtheprivilegesoftherole(forexample,thepolicycannotoverrideanypermissionthatisdeniedbydefaultintherole).
SummaryIAMisapowerfulservicethatgivesyoutheabilitytocontrolwhichpeopleandapplicationscanaccessyourAWSaccountataverygranularlevel.BecausetherootuserinanAWSaccountcannotbelimited,youshouldsetupIAMusersandtemporarysecuritytokensforyourpeopleandprocessestointeractwithAWS.
Policiesdefinewhatactionscanandcannotbetaken.PoliciesareassociatedwithIAMuserseitherdirectlyorthroughgroupmembership.AtemporarysecuritytokenisassociatedwithapolicybyassuminganIAMrole.YoucanwriteyourownpoliciesoruseoneofthemanagedpoliciesprovidedbyAWS.
CommonusecasesforIAMrolesincludefederatingidentitiesfromexternalIdPs,assigningprivilegestoanAmazonEC2instancewheretheycanbeassumedbyapplicationsrunningontheinstance,andcross-accountaccess.
IAMuseraccountscanbefurthersecuredbyrotatingkeys,implementingMFA,andaddingconditionstopolicies.MFAensuresthatauthenticationisbasedonsomethingyouhaveinadditiontosomethingyouknow,andconditionscanaddfurtherrestrictionssuchaslimitingclientIPaddressrangesorsettingaparticulartimeinterval.
ExamEssentialsKnowthedifferentprincipalsinIAM.ThethreeprincipalsthatcanauthenticateandinteractwithAWSresourcesaretherootuser,IAMusers,androles.TherootuserisassociatedwiththeactualAWSaccountandcannotberestrictedinanyway.IAMusersarepersistentidentitiesthatcanbecontrolledthroughIAM.Rolesallowpeopleorprocessestheabilitytooperatetemporarilywithadifferentidentity.Peopleorprocessesassumearolebybeinggrantedatemporarysecuritytokenthatwillexpireafteraspecifiedperiodoftime.
KnowhowprincipalsareauthenticatedinIAM.WhenyoulogintotheAWSManagementConsoleasanIAMuserorrootuser,youuseausername/passwordcombination.AprogramthataccessestheAPIwithanIAMuserorrootuserusesatwo-partaccesskey.Atemporarysecuritytokenauthenticateswithanaccesskeyplusanadditionalsessiontokenuniquetothattemporarysecuritytoken.
Knowthepartsofapolicy.ApolicyisaJSONdocumentthatdefinesoneormorepermissionstointeractwithAWSresources.Eachpermissionincludestheeffect,service,action,andresource.Itmayalsoincludeoneormoreconditions.AWSmakesmanypredefinedpoliciesavailableasmanagedpolicies.
Knowhowapolicyisassociatedwithaprincipal.Anauthenticatedprincipalisassociatedwithzerotomanypolicies.ForanIAMuser,thesepoliciesmaybeattacheddirectlytotheuseraccountorattachedtoanIAMgroupofwhichtheuseraccountisamember.AtemporarysecuritytokenisassociatedwithpoliciesbyassuminganIAMrole.
UnderstandMFA.MFAincreasesthesecurityofanAWSaccountbyaugmentingthepassword(somethingyouknow)witharotatingOTPfromasmalldevice(somethingyouhave),ensuringthatanyoneauthenticatingtheaccounthasbothknowledgeofthepasswordandpossessionofthedevice.AWSsupportsbothGemaltohardwareMFAdevicesandanumberofvirtualMFAapps.
Understandkeyrotation.ToprotectyourAWSinfrastructure,accesskeysshouldberotatedregularly.AWSallowstwoaccesskeystobevalidsimultaneouslytomaketherotationprocessstraightforward:Generateanewaccesskey,configureyourapplicationtousethenewaccesskey,test,disabletheoriginalaccesskey,test,deletetheoriginalaccesskey,andtestagain.
UnderstandIAMrolesandfederation.IAMrolesareprepackagedsetsofpermissionsthathavenocredentials.Principalscanassumearoleandthenusetheassociatedpermissions.Whenatemporarysecuritytokeniscreated,itassumesarolethatdefinesthepermissionsassignedtothetoken.WhenanAmazonEC2instanceisassociatedwithanIAMrole,SDKcallsacquireatemporarysecuritytokenbasedontheroleassociatedwiththeinstanceandusethattokentoaccessAWSresources.
RolesarethebasisforfederatingexternalIdPswithAWS.YouconfigureanIAMIdPtointeractwiththeexternalIdP,theauthenticatedidentityfromtheIdPismappedtoarole,andatemporarysecuritytokenisreturnedthathasassumedthatrole.AWSsupportsbothSAMLandOIDCIdPs.
Knowhowtoresolveconflictingpermissions.Resolvingmultiplepermissionsis
relativelystraightforward.Ifanactiononaresourcehasnotbeenexplicitlyallowedbyapolicy,itisdenied.Iftwopoliciescontradicteachother;thatis,ifonepolicyallowsanactiononaresourceandanotherpolicydeniesthataction,theactionisdenied.Whilethissoundsimprobable,itmayoccurduetoscopedifferencesinapolicy.OnepolicymayexposeanentirefleetofAmazonEC2instances,andasecondpolicymayexplicitlylockdownoneparticularinstance.
ExercisesForassistanceincompletingthefollowingexercises,refertotheIAMUserGuideathttp://docs.aws.amazon.com/IAM/latest/UserGuide/.
EXERCISE6.1
CreateanIAMGroupInthisexercise,youwillcreateagroupforallIAMadministratorusersandassigntheproperpermissionstothenewgroup.Thiswillallowyoutoavoidassigningpoliciesdirectlytoauserlaterintheseexercises.
1. Loginastherootuser.
2. CreateanIAMgroupcalledAdministrators.
3. Attachthemanagedpolicy,IAMFullAccess,totheAdministratorsgroup.
EXERCISE6.2
CreateaCustomizedSign-InLinkandPasswordPolicyInthisexercise,youwillsetupyouraccountwithsomebasicIAMsafeguards.Thepasswordpolicyisarecommendedsecuritypractice,andthesign-inlinkmakesiteasierforyouruserstologintotheAWSManagementConsole.
1. Customizeasign-inlink,andwritedownthenewlinknameinfull.
2. Createapasswordpolicyforyouraccount.
EXERCISE6.3
CreateanIAMUserInthisexercise,youwillcreateanIAMuserwhocanperformalladministrativeIAMfunctions.Thenyouwillloginasthatusersothatyounolongerneedtousetherootuserlogin.Usingtherootuserloginonlywhenexplicitlyrequiredisarecommendedsecuritypractice(alongwithaddingMFAtoyourrootuser).
1. Whileloggedinastherootuser,createanewIAMusercalledAdministrator.
2. AddyournewusertotheAdministratorsgroup.
3. OntheDetailspagefortheadministratoruser,createapassword.
4. Logoutastherootuser.
5. Usethecustomizedsign-inlinktosigninasAdministrator.
EXERCISE6.4
CreateandUseanIAMRoleInthisexercise,youwillcreateanIAMrole,associateitwithanewinstance,andverifythatapplicationsrunningontheinstanceassumethepermissionsoftherole.IAMrolesallowyoutoavoidstoringaccesskeysonyourAmazonEC2instances.
1. Whilesignedinasadministrator,createanAmazonEC2-typerolenamedS3Client.
2. Attachthemanagedpolicy,AmazonS3ReadOnlyAccess,toS3Client.
3. LaunchanAmazonLinuxEC2instancewiththenewroleattached(AmazonLinuxAMIscomewithCLIinstalled).
4. SSHintothenewinstance,andusetheCLItolistthecontentsofanAmazonS3bucket.
EXERCISE6.5
RotateKeysInthisexercise,youwillgothroughtheprocessofrotatingaccesskeys,arecommendedsecuritypractice.
1. Selecttheadministrator,andcreateatwo-partaccesskey.
2. Downloadtheaccesskey.
3. DownloadandinstalltheCLItoyourdesktop.
4. ConfiguretheCLItousetheaccesskeywiththeAWSConfigurecommand.
5. UsetheCLItolistthecontentsofanAmazonS3bucket.
6. Returntotheconsole,andcreateanewaccesskeyfortheadministratoraccount.
7. Downloadtheaccesskey,andreconfiguretheCLItousethenewaccesskey.
8. Intheconsole,maketheoriginalaccesskeyinactive.
9. ConfirmthatyouareusingthenewaccesskeybyonceagainlistingthecontentsoftheAmazonS3bucket.
10. Deletetheoriginalaccesskey.
EXERCISE6.6
SetUpMFAInthisexercise,youwilladdMFAtoyourIAMadministrator.YouwilluseavirtualMFAapplicationforyourphone.MFAisasecurityrecommendationonpowerfulaccountssuchasIAMadministrators.
1. DownloadtheAWSVirtualMFAapptoyourphone.
2. Selecttheadministratoruser,andmanagetheMFAdevice.
3. GothroughthestepstoactivateaVirtualMFAdevice.
4. Logoffasadministrator.
5. Loginasadministrator,andentertheMFAvaluetocompletetheauthenticationprocess.
EXERCISE6.7
ResolveConflictingPermissionsInthisexercise,youwilladdapolicytoyourIAMadministratoruserwithaconflictingpermission.YouwillthenattemptactionsthatverifyhowIAMresolvesconflictingpermissions.
1. Usethepolicygeneratortocreateanewpolicy.
2. CreatethepolicywithEffect:Deny;AWSService:AmazonS3;Actions:*;andARN:*.
3. AttachthenewpolicytotheAdministratorsgroup.
4. UsetheCLItoattempttolistthecontentsofanAmazonS3bucket.Thepolicythatallowsaccessandthepolicythatdeniesaccessshouldresolvetodenyaccess.
ReviewQuestions1. WhichofthefollowingmethodswillallowanapplicationusinganAWSSDKtobeauthenticatedasaprincipaltoaccessAWSCloudservices?(Choose2answers)
A. CreateanIAMuserandstoretheusernameandpasswordfortheuserintheapplication’sconfiguration.
B. CreateanIAMuserandstorebothpartsoftheaccesskeyfortheuserintheapplication’sconfiguration.
C. RuntheapplicationonanAmazonEC2instancewithanassignedIAMrole.
D. MakealltheAPIcallsoveranSSLconnection.
2. WhichofthefollowingarefoundinanIAMpolicy?(Choose2answers)
A. ServiceName
B. Region
C. Action
D. Password
3. YourAWSaccountadministratorleftyourcompanytoday.TheadministratorhadaccesstotherootuserandapersonalIAMadministratoraccount.Withtheseaccounts,hegeneratedotherIAMaccountsandkeys.WhichofthefollowingshouldyoudotodaytoprotectyourAWSinfrastructure?(Choose4answers)
A. ChangethepasswordandaddMFAtotherootuser.
B. PutanIPrestrictionontherootuser.
C. RotatekeysandchangepasswordsforIAMaccounts.
D. DeleteallIAMaccounts.
E. Deletetheadministrator’spersonalIAMaccount.
F. RelaunchallAmazonEC2instanceswithnewroles.
4. WhichofthefollowingactionscanbeauthorizedbyIAM?(Choose2answers)
A. InstallingASP.NETonaWindowsServer
B. LaunchinganAmazonLinuxEC2instance
C. QueryinganOracledatabase
D. AddingamessagetoanAmazonSimpleQueueService(AmazonSQS)queue
5. WhichofthefollowingareIAMsecurityfeatures?(Choose2answers)
A. Passwordpolicies
B. AmazonDynamoDBglobalsecondaryindexes
C. MFA
D. ConsolidatedBilling
6. WhichofthefollowingarebenefitsofusingAmazonEC2roles?(Choose2answers)
A. Nopoliciesarerequired.
B. CredentialsdonotneedtobestoredontheAmazonEC2instance.
C. Keyrotationisnotnecessary.
D. IntegrationwithActiveDirectoryisautomatic.
7. Whichofthefollowingarebasedontemporarysecuritytokens?(Choose2answers)
A. AmazonEC2roles
B. MFA
C. Rootuser
D. Federation
8. YoursecurityteamisveryconcernedaboutthevulnerabilityoftheIAMadministratoruseraccounts(theaccountsusedtoconfigureallIAMfeaturesandaccounts).Whatstepscanbetakentolockdowntheseaccounts?(Choose3answers)
A. Addmulti-factorauthentication(MFA)totheaccounts.
B. LimitloginstoaparticularU.S.state.
C. ImplementapasswordpolicyontheAWSaccount.
D. ApplyasourceIPaddressconditiontothepolicythatonlygrantspermissionswhentheuserisonthecorporatenetwork.
E. AddaCAPTCHAtesttotheaccounts.
9. YouwanttogranttheindividualsonyournetworkteamtheabilitytofullymanipulateAmazonEC2instances.Whichofthefollowingaccomplishthisgoal?(Choose2answers)
A. CreateanewpolicyallowingEC2:*actions,andnamethepolicyNetworkTeam.
B. Assignthemanagedpolicy,EC2FullAccess,toagroupnamedNetworkTeam,andassignalltheteammembers’IAMuseraccountstothatgroup.
C. CreateanewpolicythatgrantsEC2:*actionsonallresources,andassignthatpolicytoeachindividual’sIAMuseraccountonthenetworkteam.
D. CreateaNetworkTeamIAMgroup,andhaveeachteammemberlogintotheAWSManagementConsoleusingtheusername/passwordforthegroup.
10. WhatistheformatofanIAMpolicy?
A. XML
B. Key/valuepairs
C. JSON
D. Tab-delimitedtext
Chapter7DatabasesandAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Planninganddesign
Architecturaltrade-offdecisions(AmazonRelationalDatabaseService[AmazonRDS]vs.installingonAmazonElasticComputeCloud[AmazonEC2])
BestpracticesforAWSarchitecture
RecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)DisasterRecovery(DR)design
Elasticityandscalability
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSadministrationandsecurityservices
Designpatterns
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
ThischapterwillcoveressentialdatabaseconceptsandintroducethreeofAmazon’smanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.
Thischapterfocusesonkeytopicsyouneedtounderstandfortheexam,including:
Thedifferencesamongarelationaldatabase,aNoSQLdatabase,andadatawarehouse
ThebenefitsandtradeoffsbetweenrunningadatabaseonAmazonEC2oronAmazonRDS
Howtodeploydatabaseenginesintothecloud
HowtobackupandrecoveryourdatabaseandmeetyourRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements
Howtobuildhighlyavailabledatabasearchitectures
Howtoscaleyourdatabasecomputeandstoragevertically
Howtoselecttherighttypeofstoragevolume
Howtousereadreplicastoscalehorizontally
HowtodesignandscaleanAmazonDynamoDBtable
HowtoreadandwritefromanAmazonDynamoDBtable
Howtousesecondaryindexestospeedqueries
HowtodesignanAmazonRedshifttable
HowtoloadandqueryanAmazonRedshiftdatawarehouse
Howtosecureyourdatabases,tables,andclusters
DatabasePrimerAlmosteveryapplicationreliesonadatabasetostoreimportantdataandrecordsforitsusers.Adatabaseengineallowsyourapplicationtoaccess,manage,andsearchlargevolumesofdatarecords.Inawell-architectedapplication,thedatabasewillneedtomeettheperformancedemands,theavailabilityneeds,andtherecoverabilitycharacteristicsofthesystem.
Databasesystemsandenginescanbegroupedintotwobroadcategories:RelationalDatabaseManagementSystems(RDBMS)andNoSQL(ornon-relational)databases.ItisnotuncommontobuildanapplicationusingacombinationofRDBMSandNoSQLdatabases.Astrongunderstandingofessentialdatabaseconcepts,AmazonRDS,andAmazonDynamoDBarerequiredtopassthisexam.
RelationalDatabasesThemostcommontypeofdatabaseinusetodayistherelationaldatabase.Therelationaldatabasehasrootsgoingbacktothe1970swhenEdgarF.Codd,workingforIBM,developedtheconceptsoftherelationalmodel.Today,relationaldatabasespoweralltypesofapplicationsfromsocialmediaapps,e-commercewebsites,andblogstocomplexenterpriseapplications.CommonlyusedrelationaldatabasesoftwarepackagesincludeMySQL,PostgreSQL,MicrosoftSQLServer,andOracle.
RelationaldatabasesprovideacommoninterfacethatletsusersreadandwritefromthedatabaseusingcommandsorquerieswrittenusingStructuredQueryLanguage(SQL).Arelationaldatabaseconsistsofoneormoretables,andatableconsistsofcolumnsandrowssimilartoaspreadsheet.Adatabasecolumncontainsaspecificattributeoftherecord,suchasaperson’sname,address,andtelephonenumber.Eachattributeisassignedadatatypesuchastext,number,ordate,andthedatabaseenginewillrejectinvalidinputs.
Adatabaserowcomprisesanindividualrecord,suchasthedetailsaboutastudentwhoattendsaschool.ConsidertheexampleinTable7.1.
TABLE7.1StudentsTable
StudentID FirstName LastName Gender Age
1001 Joe Dusty M 29
1002 Andrea Romanov F 20
1003 Ben Johnson M 30
1004 Beth Roberts F 30
Thisisanexampleofabasictablethatwouldsitinarelationaldatabase.Therearefivefieldswithdifferentdatatypes:
StudentID=Numberorinteger
FirstName=String
LastName=String
Gender=String(CharacterLength=1)
Age=Integer
Thissampletablehasfourrecords,witheachrecordrepresentinganindividualstudent.EachstudenthasaStudentIDfield,whichisusuallyauniquenumberperstudent.Auniquenumberthatidentifieseachstudentcanbecalledaprimarykey.
Onerecordinatablecanrelatetoarecordinanothertablebyreferencingtheprimarykeyofarecord.Thispointerorreferenceiscalledaforeignkey.Forexample,theGradestablethatrecordsscoresforeachstudentwouldhaveitsownprimarykeyandanadditionalcolumnknownasaforeignkeythatreferstotheprimarykeyofthestudentrecord.Byreferencingtheprimarykeysofothertables,relationaldatabasesminimizeduplicationofdatainassociatedtables.Withrelationaldatabases,itisimportanttonotethatthestructureofthetable(suchasthenumberofcolumnsanddatatypeofeachcolumn)mustbedefinedpriortodatabeingaddedtothetable.
ArelationaldatabasecanbecategorizedaseitheranOnlineTransactionProcessing(OLTP)orOnlineAnalyticalProcessing(OLAP)databasesystem,dependingonhowthetablesareorganizedandhowtheapplicationusestherelationaldatabase.OLTPreferstotransaction-orientedapplicationsthatarefrequentlywritingandchangingdata(forexample,dataentryande-commerce).OLAPistypicallythedomainofdatawarehousesandreferstoreportingoranalyzinglargedatasets.LargeapplicationsoftenhaveamixofbothOLTPandOLAPdatabases.
AmazonRelationalDatabaseService(AmazonRDS)significantlysimplifiesthesetupandmaintenanceofOLTPandOLAPdatabases.AmazonRDSprovidessupportforsixpopularrelationaldatabaseengines:MySQL,Oracle,PostgreSQL,MicrosoftSQLServer,MariaDB,andAmazonAurora.YoucanalsochoosetorunnearlyanydatabaseengineusingWindowsorLinuxAmazonElasticComputeCloud(AmazonEC2)instancesandmanagetheinstallationandadministrationyourself.
DataWarehousesAdatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositoryisoftenaspecializedtypeofrelationaldatabasethatcanbeusedforreportingandanalysisviaOLAP.Organizationstypicallyusedatawarehousestocompilereportsandsearchthedatabaseusinghighlycomplexqueries.
Datawarehousesarealsotypicallyupdatedonabatchschedulemultipletimesperdayorperhour,comparedtoanOLTPrelationaldatabasethatcanbeupdatedthousandsoftimespersecond.Manyorganizationssplittheirrelationaldatabasesintotwodifferentdatabases:onedatabaseastheirmainproductiondatabaseforOLTPtransactions,andtheotherdatabaseastheirdatawarehouseforOLAP.OLTPtransactionsoccurfrequentlyandarerelativelysimple.OLAPtransactionsoccurmuchlessfrequentlybutaremuchmorecomplex.
AmazonRDSisoftenusedforOLTPworkloads,butitcanalsobeusedforOLAP.AmazonRedshiftisahigh-performancedatawarehousedesignedspecificallyforOLAPusecases.ItisalsocommontocombineAmazonRDSwithAmazonRedshiftinthesameapplicationandperiodicallyextractrecenttransactionsandloadthemintoareportingdatabase.
NoSQLDatabasesNoSQLdatabaseshavegainedsignificantpopularityinrecentyearsbecausetheyareoftensimplertouse,moreflexible,andcanachieveperformancelevelsthataredifficultorimpossiblewithtraditionalrelationaldatabases.Traditionalrelationaldatabasesaredifficulttoscalebeyondasingleserverwithoutsignificantengineeringandcost,butaNoSQLarchitectureallowsforhorizontalscalabilityoncommodityhardware.
NoSQLdatabasesarenon-relationalanddonothavethesametableandcolumnsemanticsofarelationaldatabase.NoSQLdatabasesareinsteadoftenkey/valuestoresordocumentstoreswithflexibleschemasthatcanevolveovertimeorvary.Contrastthattoarelationaldatabase,whichrequiresaveryrigidschema.
ManyoftheconceptsofNoSQLarchitecturestracetheirfoundationalconceptsbacktowhitepaperspublishedin2006and2007thatdescribeddistributedsystemslikeDynamoatAmazon.Today,manyapplicationteamsuseHbase,MongoDB,Cassandra,CouchDB,Riak,andAmazonDynamoDBtostorelargevolumesofdatawithhightransactionrates.Manyofthesedatabaseenginessupportclusteringandscalehorizontallyacrossmanymachinesforperformanceandfaulttolerance.AcommonusecaseforNoSQLismanagingusersessionstate,userprofiles,shoppingcartdata,ortime-seriesdata.
YoucanrunanytypeofNoSQLdatabaseonAWSusingAmazonEC2,oryoucanchooseamanagedservicelikeAmazonDynamoDBtodealwiththeheavyliftinginvolvedwithbuildingadistributedclusterspanningmultipledatacenters.
AmazonRelationalDatabaseService(AmazonRDS)AmazonRDSisaservicethatsimplifiesthesetup,operations,andscalingofarelationaldatabaseonAWS.WithAmazonRDS,youcanspendmoretimefocusingontheapplicationandtheschemaandletAmazonRDSoffloadcommontaskslikebackups,patching,scaling,andreplication.
AmazonRDShelpsyoutostreamlinetheinstallationofthedatabasesoftwareandalsotheprovisioningofinfrastructurecapacity.Withinafewminutes,AmazonRDScanlaunchoneofmanypopulardatabaseenginesthatisreadytostarttakingSQLtransactions.Aftertheinitiallaunch,AmazonRDSsimplifiesongoingmaintenancebyautomatingcommonadministrativetasksonarecurringbasis.
WithAmazonRDS,youcanaccelerateyourdevelopmenttimelinesandestablishaconsistentoperatingmodelformanagingrelationaldatabases.Forexample,AmazonRDSmakesiteasytoreplicateyourdatatoincreaseavailability,improvedurability,orscaleuporbeyondasingledatabaseinstanceforread-heavydatabaseworkloads.
AmazonRDSexposesadatabaseendpointtowhichclientsoftwarecanconnectandexecuteSQL.AmazonRDSdoesnotprovideshellaccesstoDatabase(DB)Instances,anditrestrictsaccesstocertainsystemproceduresandtablesthatrequireadvancedprivileges.WithAmazonRDS,youcantypicallyusethesametoolstoquery,analyze,modify,andadministerthedatabase.Forexample,currentExtract,Transform,Load(ETL)toolsandreportingtoolscanconnecttoAmazonRDSdatabasesinthesamewaywiththesamedrivers,andoftenallittakestoreconfigureischangingthehostnameintheconnectionstring.
Database(DB)InstancesTheAmazonRDSserviceitselfprovidesanApplicationProgrammingInterface(API)thatletsyoucreateandmanageoneormoreDBInstances.ADBInstanceisanisolateddatabaseenvironmentdeployedinyourprivatenetworksegmentsinthecloud.EachDBInstancerunsandmanagesapopularcommercialoropensourcedatabaseengineonyourbehalf.AmazonRDScurrentlysupportsthefollowingdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.
YoucanlaunchanewDBInstancebycallingtheCreateDBInstanceAPIorbyusingtheAWSManagementConsole.ExistingDBInstancescanbechangedorresizedusingtheModifyDBInstanceAPI.ADBInstancecancontainmultipledifferentdatabases,allofwhichyoucreateandmanagewithintheDBInstanceitselfbyexecutingSQLcommandswiththeAmazonRDSendpoint.Thedifferentdatabasescanbecreated,accessed,andmanagedusingthesameSQLclienttoolsandapplicationsthatyouusetoday.
ThecomputeandmemoryresourcesofaDBInstancearedeterminedbyitsDBInstanceclass.YoucanselecttheDBInstanceclassthatbestmeetsyourneedsforcomputeandmemory.TherangeofDBInstanceclassesextendsfromadb.t2.microwith1virtualCPU(vCPU)and1GBofmemory,uptoadb.r3.8xlargewith32vCPUsand244GBofmemory.Asyourneedschangeovertime,youcanchangetheinstanceclassandthebalanceofcomputeofmemory,andAmazonRDSwillmigrateyourdatatoalargerorsmallerinstanceclass.IndependentfromtheDBInstanceclassthatyouselect,youcanalsocontrolthesizeand
performancecharacteristicsofthestorageused.
AmazonRDSsupportsalargevarietyofengines,versions,andfeaturecombinations.ChecktheAmazonRDSdocumentationtodeterminesupportforspecificfeatures.ManyfeaturesandcommonconfigurationsettingsareexposedandmanagedusingDBparametergroupsandDBoptiongroups.ADBparametergroupactsasacontainerforengineconfigurationvaluesthatcanbeappliedtooneormoreDBInstances.YoumaychangetheDBparametergroupforanexistinginstance,butarebootisrequired.ADBoptiongroupactsasacontainerforenginefeatures,whichisemptybydefault.InordertoenablespecificfeaturesofaDBengine(forexample,OracleStatspack,MicrosoftSQLServerMirroring),youcreateanewDBoptiongroupandconfigurethesettingsaccordingly.
ExistingdatabasescanbemigratedtoAmazonRDSusingnativetoolsandtechniquesthatvarydependingontheengine.ForexamplewithMySQL,youcanexportabackupusingmysqldumpandimportthefileintoAmazonRDSMySQL.YoucanalsousetheAWSDatabaseMigrationService,whichgivesyouagraphicalinterfacethatsimplifiesthemigrationofbothschemaanddatabetweendatabases.AWSDatabaseMigrationServicealsohelpsconvertdatabasesfromonedatabaseenginetoanother.
OperationalBenefitsAmazonRDSincreasestheoperationalreliabilityofyourdatabasesbyapplyingaveryconsistentdeploymentandoperationalmodel.Thislevelofconsistencyisachievedinpartbylimitingthetypesofchangesthatcanbemadetotheunderlyinginfrastructureandthroughtheextensiveuseofautomation.ForexamplewithAmazonRDS,youcannotuseSecureShell(SSH)tologintothehostinstanceandinstallacustompieceofsoftware.Youcan,however,connectusingSQLadministratortoolsoruseDBoptiongroupsandDBparametergroupstochangethebehaviororfeatureconfigurationforaDBInstance.IfyouwantfullcontroloftheOperatingSystem(OS)orrequireelevatedpermissionstorun,thenconsiderinstallingyourdatabaseonAmazonEC2insteadofAmazonRDS.
AmazonRDSisdesignedtosimplifythecommontasksrequiredtooperatearelationaldatabaseinareliablemanner.It’susefultocomparetheresponsibilitiesofanadministratorwhenoperatingarelationaldatabaseinyourdatacenter,onAmazonEC2,orwithAmazonRDS(seeTable7.2).
TABLE7.2ComparisonofOperationalResponsibilities
Responsibility DatabaseOn-Premise
DatabaseonAmazonEC2
DatabaseonAmazonRDS
AppOptimization
You You You
Scaling You You AWS
HighAvailability You You AWS
Backups You You AWS
DBEnginePatches
You You AWS
SoftwareInstallation
You You AWS
OSPatches You You AWS
OSInstallation You AWS AWS
ServerMaintenance
You AWS AWS
RackandStack You AWS AWS
PowerandCooling
You AWS AWS
DatabaseEnginesAmazonRDSsupportssixdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.Featuresandcapabilitiesvaryslightlydependingontheenginethatyouselect.
MySQLMySQLisoneofthemostpopularopensourcedatabasesintheworld,anditisusedtopowerawiderangeofapplications,fromsmallpersonalblogstosomeofthelargestwebsitesintheworld.Asofthetimeofthiswriting,AmazonRDSforMySQLcurrentlysupportsMySQL5.7,5.6,5.5,and5.1.TheengineisrunningtheopensourceCommunityEditionwithInnoDBasthedefaultandrecommendeddatabasestorageengine.AmazonRDSMySQLallowsyoutoconnectusingstandardMySQLtoolssuchasMySQLWorkbenchorSQLWorkbench/J.AmazonRDSMySQLsupportsMulti-AZdeploymentsforhighavailabilityandreadreplicasforhorizontalscaling.
PostgreSQLPostgreSQLisawidelyusedopensourcedatabaseenginewithaveryrichsetoffeaturesandadvancedfunctionality.AmazonRDSsupportsDBInstancesrunningseveralversionsofPostgreSQL.Asofthetimeofthiswriting,AmazonRDSsupportsmultiplereleasesofPostgreSQL,including9.5.x,9.4.x,and9.3.x.AmazonRDSPostgreSQLcanbemanagedusingstandardtoolslikepgAdminandsupportsstandardJDBC/ODBCdrivers.AmazonRDSPostgreSQLalsosupportsMulti-AZdeploymentforhighavailabilityandreadreplicasfor
horizontalscaling.
MariaDBAmazonRDSrecentlyaddedsupportforDBInstancesrunningMariaDB.MariaDBisapopularopensourcedatabaseenginebuiltbythecreatorsofMySQLandenhancedwithenterprisetoolsandfunctionality.MariaDBaddsfeaturesthatenhancetheperformance,availability,andscalabilityofMySQL.Asofthetimeofthiswriting,AWSsupportsMariaDBversion10.0.17.AmazonRDSfullysupportstheXtraDBstorageengineforMariaDBDBInstancesand,likeAmazonRDSMySQLandPostgreSQL,hassupportforMulti-AZdeploymentandreadreplicas.
OracleOracleisoneofthemostpopularrelationaldatabasesusedintheenterpriseandisfullysupportedbyAmazonRDS.Asofthetimeofthiswriting,AmazonRDSsupportsDBInstancesrunningseveraleditionsofOracle11gandOracle12c.AmazonRDSsupportsaccesstoschemasonaDBInstanceusinganystandardSQLclientapplication,suchasOracleSQLPlus.
AmazonRDSOraclesupportsthreedifferenteditionsofthepopulardatabaseengine:StandardEditionOne,StandardEdition,andEnterpriseEdition.Table7.3outlinessomeofthemajordifferencesbetweeneditions:
TABLE7.3AmazonRDSOracleEditionsCompared
Edition Performance Multi-AZ Encryption
StandardOne ++++ Yes KMS
Standard ++++++++ Yes KMS
Enterprise ++++++++ Yes KMSandTDE
MicrosoftSQLServerMicrosoftSQLServerisanotherverypopularrelationaldatabaseusedintheenterprise.AmazonRDSallowsDatabaseAdministrators(DBAs)toconnecttotheirSQLServerDBInstanceinthecloudusingnativetoolslikeSQLServerManagementStudio.Asofthetimeofthiswriting,AmazonRDSprovidessupportforseveralversionsofMicrosoftSQLServer,includingSQLServer2008R2,SQLServer2012,andSQLServer2014.
AmazonRDSSQLServeralsosupportsfourdifferenteditionsofSQLServer:ExpressEdition,WebEdition,StandardEdition,andEnterpriseEdition.Table7.4highlightstherelativeperformance,availability,andencryptiondifferencesamongtheseeditions.
TABLE7.4AmazonRDSSQLServerEditionsCompared
Edition Performance Multi-AZ Encryption
Express + No KMS
Web ++++ No KMS
Standard ++++ Yes KMS
Enterprise ++++++++ Yes KMSandTDE
LicensingAmazonRDSOracleandMicrosoftSQLServerarecommercialsoftwareproductsthatrequireappropriatelicensestooperateinthecloud.AWSofferstwolicensingmodels:LicenseIncludedandBringYourOwnLicense(BYOL).
LicenseIncludedIntheLicenseIncludedmodel,thelicenseisheldbyAWSandisincludedintheAmazonRDSinstanceprice.ForOracle,LicenseIncludedprovideslicensingforStandardEditionOne.ForSQLServer,LicenseIncludedprovideslicensingforSQLServerExpressEdition,WebEdition,andStandardEdition.
BringYourOwnLicense(BYOL)IntheBYOLmodel,youprovideyourownlicense.ForOracle,youmusthavetheappropriateOracleDatabaselicensefortheDBInstanceclassandOracleDatabaseeditionyouwanttorun.YoucanbringoverStandardEditionOne,StandardEdition,andEnterpriseEdition.
ForSQLServer,youprovideyourownlicenseundertheMicrosoftLicenseMobilityprogram.YoucanbringoverMicrosoftSQLStandardEditionandalsoEnterpriseEdition.Youareresponsiblefortrackingandmanaginghowlicensesareallocated.
AmazonAuroraAmazonAuroraoffersenterprise-gradecommercialdatabasetechnologywhileofferingthesimplicityandcosteffectivenessofanopensourcedatabase.ThisisachievedbyredesigningtheinternalcomponentsofMySQLtotakeamoreservice-orientedapproach.
LikeotherAmazonRDSengines,AmazonAuroraisafullymanagedservice,isMySQL-compatibleoutofthebox,andprovidesforincreasedreliabilityandperformanceoverstandardMySQLdeployments.AmazonAuroracandeliveruptofivetimestheperformanceofMySQLwithoutrequiringchangestomostofyourexistingwebapplications.Youcanusethesamecode,tools,andapplicationsthatyouusewithyourexistingMySQLdatabaseswithAmazonAurora.
WhenyoufirstcreateanAmazonAurorainstance,youcreateaDBcluster.ADBclusterhasoneormoreinstancesandincludesaclustervolumethatmanagesthedataforthoseinstances.AnAmazonAuroraclustervolumeisavirtualdatabasestoragevolumethatspansmultipleAvailabilityZones,witheachAvailabilityZonehavingacopyoftheclusterdata.AnAmazonAuroraDBclusterconsistsoftwodifferenttypesofinstances:
PrimaryInstanceThisisthemaininstance,whichsupportsbothreadandwriteworkloads.Whenyoumodifyyourdata,youaremodifyingtheprimaryinstance.EachAmazonAuroraDBclusterhasoneprimaryinstance.
AmazonAuroraReplicaThisisasecondaryinstancethatsupportsonlyreadoperations.EachDBclustercanhaveupto15AmazonAuroraReplicasinadditiontotheprimaryinstance.ByusingmultipleAmazonAuroraReplicas,youcandistributethereadworkloadamongvariousinstances,increasingperformance.YoucanalsolocateyourAmazonAuroraReplicasinmultipleAvailabilityZonestoincreaseyourdatabaseavailability.
StorageOptionsAmazonRDSisbuiltusingAmazonElasticBlockStore(AmazonEBS)andallowsyoutoselecttherightstorageoptionbasedonyourperformanceandcostrequirements.Dependingonthedatabaseengineandworkload,youcanscaleupto4to6TBinprovisionedstorageandupto30,000IOPS.AmazonRDSsupportsthreestoragetypes:Magnetic,GeneralPurpose(SolidStateDrive[SSD]),andProvisionedIOPS(SSD).Table7.5highlightstherelativesize,performance,andcostdifferencesbetweentypes.
TABLE7.5AmazonRDSStorageTypes
Magnetic GeneralPurpose(SSD) ProvisionedIOPS(SSD)
Size +++ +++++ +++++
Performance + +++ +++++
Cost ++ +++ +++++
MagneticMagneticstorage,alsocalledstandardstorage,offerscost-effectivestoragethatisidealforapplicationswithlightI/Orequirements.
GeneralPurpose(SSD)Generalpurpose(SSD)-backedstorage,alsocalledgp2,canprovidefasteraccessthanmagneticstorage.Thisstoragetypecanprovideburstperformancetomeetspikesandisexcellentforsmall-tomedium-sizeddatabases.
ProvisionedIOPS(SSD)ProvisionedIOPS(SSD)storageisdesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloads,thataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.
Formostapplications,GeneralPurpose(SSD)isthebestoptionandprovidesagoodmixoflower-costandhigher-performancecharacteristics.
BackupandRecoveryAmazonRDSprovidesaconsistentoperationalmodelforbackupandrecoveryproceduresacrossthedifferentdatabaseengines.AmazonRDSprovidestwomechanismsforbackingupthedatabase:automatedbackupsandmanualsnapshots.Byusingacombinationofbothtechniques,youcandesignabackuprecoverymodeltoprotectyourapplicationdata.
EachorganizationtypicallywilldefineaRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)forimportantapplicationsbasedonthecriticalityoftheapplicationandtheexpectationsoftheusers.It’scommonforenterprisesystemstohaveanRPOmeasuredinminutesandanRTOmeasuredinhoursorevendays,whilesomecriticalapplicationsmayhavemuchlowertolerances.
RPOisdefinedasthemaximumperiodofdatalossthatisacceptableintheeventofafailureorincident.Forexample,manysystemsbackuptransactionlogsevery15minutestoallowthemtominimizedatalossintheeventofanaccidentaldeletionorhardwarefailure.
RTOisdefinedasthemaximumamountofdowntimethatispermittedtorecoverfrombackupandtoresumeprocessing.Forlargedatabasesinparticular,itcantakehourstorestorefromafullbackup.Intheeventofahardwarefailure,youcanreduceyourRTOtominutesbyfailingovertoasecondarynode.Youshouldcreatearecoveryplanthat,ataminimum,letsyourecoverfromarecentbackup.
AutomatedBackupsAnautomatedbackupisanAmazonRDSfeaturethatcontinuouslytrackschangesandbacksupyourdatabase.AmazonRDScreatesastoragevolumesnapshotofyourDBInstance,backinguptheentireDBInstanceandnotjustindividualdatabases.YoucansetthebackupretentionperiodwhenyoucreateaDBInstance.Onedayofbackupswillberetainedbydefault,butyoucanmodifytheretentionperioduptoamaximumof35days.KeepinmindthatwhenyoudeleteaDBInstance,allautomatedbackupsnapshotsaredeletedandcannotberecovered.Manualsnapshots,however,arenotdeleted.
Automatedbackupswilloccurdailyduringaconfigurable30-minutemaintenancewindowcalledthebackupwindow.Automatedbackupsarekeptforaconfigurablenumberofdays,calledthebackupretentionperiod.YoucanrestoreyourDBInstancetoanyspecifictimeduringthisretentionperiod,creatinganewDBInstance.
ManualDBSnapshotsInadditiontoautomatedbackups,youcanperformmanualDBsnapshotsatanytime.ADBsnapshotisinitiatedbyyouandcanbecreatedasfrequentlyasyouwant.YoucanthenrestoretheDBInstancetothespecificstateintheDBsnapshotatanytime.DBsnapshotscanbecreatedwiththeAmazonRDSconsoleortheCreateDBSnapshotaction.Unlikeautomatedsnapshotsthataredeletedaftertheretentionperiod,manualDBsnapshotsarekeptuntilyouexplicitlydeletethemwiththeAmazonRDSconsoleortheDeleteDBSnapshotaction.
Forbusydatabases,useMulti-AZtominimizetheperformanceimpactofasnapshot.Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup,andyoumayexperienceelevatedlatency.ThisI/Osuspensiontypicallylastsforthedurationofthesnapshot.ThisperiodofI/OsuspensionisshorterforMulti-AZDBdeploymentsbecausethebackupistakenfromthestandby,butlatencycanoccurduringthebackupprocess.
RecoveryAmazonRDSallowsyoutorecoveryourdatabasequicklywhetheryouareperformingautomatedbackupsormanualDBsnapshots.YoucannotrestorefromaDBsnapshottoanexistingDBInstance;anewDBInstanceiscreatedwhenyourestore.WhenyourestoreaDBInstance,onlythedefaultDBparameterandsecuritygroupsareassociatedwiththerestored
instance.Assoonastherestoreiscomplete,youshouldassociateanycustomDBparameterorsecuritygroupsusedbytheinstancefromwhichyourestored.Whenusingautomatedbackups,AmazonRDScombinesthedailybackupsperformedduringyourpredefinedmaintenancewindowinconjunctionwithtransactionlogstoenableyoutorestoreyourDBInstancetoanypointduringyourretentionperiod,typicallyuptothelastfiveminutes.
HighAvailabilitywithMulti-AZOneofthemostpowerfulfeaturesofAmazonRDSisMulti-AZdeployments,whichallowsyoutocreateadatabaseclusteracrossmultipleAvailabilityZones.Settinguparelationaldatabasetoruninahighlyavailableandfault-tolerantfashionisachallengingtask.WithAmazonRDSMulti-AZ,youcanreducethecomplexityinvolvedwiththiscommonadministrativetask;withasingleoption,AmazonRDScanincreasetheavailabilityofyourdatabaseusingreplication.Multi-AZletsyoumeetthemostdemandingRPOandRTOtargetsbyusingsynchronousreplicationtominimizeRPOandfastfailovertominimizeRTOtominutes.
Multi-AZallowsyoutoplaceasecondarycopyofyourdatabaseinanotherAvailabilityZonefordisasterrecoverypurposes.Multi-AZdeploymentsareavailableforalltypesofAmazonRDSdatabaseengines.WhenyoucreateaMulti-AZDBInstance,aprimaryinstanceiscreatedinoneAvailabilityZoneandasecondaryinstanceiscreatedinanotherAvailabilityZone.Youareassignedadatabaseinstanceendpointsuchasthefollowing:
my_app_db.ch6fe7ykq1zd.us-west-2.rds.amazonaws.com
ThisendpointisaDomainNameSystem(DNS)namethatAWStakesresponsibilityforresolvingtoaspecificIPaddress.YouusethisDNSnamewhencreatingtheconnectiontoyourdatabase.Figure7.1illustratesatypicalMulti-AZdeploymentspanningtwoAvailabilityZones.
FIGURE7.1Multi-AZAmazonRDSarchitecture
AmazonRDSautomaticallyreplicatesthedatafromthemasterdatabaseorprimaryinstancetotheslavedatabaseorsecondaryinstanceusingsynchronousreplication.EachAvailabilityZonerunsonitsownphysicallydistinct,independentinfrastructureandisengineeredtobehighlyreliable.AmazonRDSdetectsandautomaticallyrecoversfromthemostcommonfailurescenariosforMulti-AZdeploymentssothatyoucanresumedatabaseoperationsasquicklyaspossiblewithoutadministrativeintervention.AmazonRDSautomaticallyperformsafailoverintheeventofanyofthefollowing:
LossofavailabilityinprimaryAvailabilityZone
Lossofnetworkconnectivitytoprimarydatabase
Computeunitfailureonprimarydatabase
Storagefailureonprimarydatabase
AmazonRDSwillautomaticallyfailovertothestandbyinstancewithoutuserintervention.TheDNSnameremainsthesame,buttheAmazonRDSservicechangestheCNAMEtopointtothestandby.TheprimaryDBInstanceswitchesoverautomaticallytothestandbyreplicaiftherewasanAvailabilityZoneservicedisruption,iftheprimaryDBInstancefails,oriftheinstancetypeischanged.YoucanalsoperformamanualfailoveroftheDBInstance.Failover
betweentheprimaryandthesecondaryinstanceisfast,andthetimeautomaticfailovertakestocompleteistypicallyonetotwominutes.
ItisimportanttorememberthatMulti-AZdeploymentsarefordisasterrecoveryonly;theyarenotmeanttoenhancedatabaseperformance.ThestandbyDBInstanceisnotavailabletoofflinequeriesfromtheprimarymasterDBInstance.ToimprovedatabaseperformanceusingmultipleDBInstances,usereadreplicasorotherDBcachingtechnologiessuchasAmazonElastiCache.
ScalingUpandOutAsthenumberoftransactionsincreasetoarelationaldatabase,scalingup,orvertically,bygettingalargermachineallowsyoutoprocessmorereadsandwrites.Scalingout,orhorizontally,isalsopossible,butitisoftenmoredifficult.AmazonRDSallowsyoutoscalecomputeandstoragevertically,andforsomeDBengines,youcanscalehorizontally.
VerticalScalabilityAddingadditionalcompute,memory,orstorageresourcestoyourdatabaseallowsyoutoprocessmoretransactions,runmorequeries,andstoremoredata.AmazonRDSmakesiteasytoscaleupordownyourdatabasetiertomeetthedemandsofyourapplication.ChangescanbescheduledtooccurduringthenextmaintenancewindowortobeginimmediatelyusingtheModifyDBInstanceaction.
Tochangetheamountofcomputeandmemory,youcanselectadifferentDBInstanceclassofthedatabase.AfteryouselectalargerorsmallerDBInstanceclass,AmazonRDSautomatesthemigrationprocesstoanewclasswithonlyashortdisruptionandminimaleffort.
Youcanalsoincreasetheamountofstorage,thestorageclass,andthestorageperformanceforanAmazonRDSInstance.Eachdatabaseinstancecanscalefrom5GBupto6TBinprovisionedstoragedependingonthestoragetypeandengine.StorageforAmazonRDScanbeincreasedovertimeasneedsgrowwithminimalimpacttotherunningdatabase.StorageexpansionissupportedforallofthedatabaseenginesexceptforSQLServer.
HorizontalScalabilitywithPartitioningArelationaldatabasecanbescaledverticallyonlysomuchbeforeyoureachthemaximuminstancesize.Partitioningalargerelationaldatabaseintomultipleinstancesorshardsisacommontechniqueforhandlingmorerequestsbeyondthecapabilitiesofasingleinstance.
Partitioning,orsharding,allowsyoutoscalehorizontallytohandlemoreusersandrequestsbutrequiresadditionallogicintheapplicationlayer.Theapplicationneedstodecidehowtoroutedatabaserequeststothecorrectshardandbecomeslimitedinthetypesofqueriesthatcanbeperformedacrossserverboundaries.NoSQLdatabaseslikeAmazonDynamoDBorCassandraaredesignedtoscalehorizontally.
HorizontalScalabilitywithReadReplicas
Anotherimportantscalingtechniqueistousereadreplicastooffloadreadtransactionsfromtheprimarydatabaseandincreasetheoverallnumberoftransactions.AmazonRDSsupportsreadreplicasthatallowyoutoscaleoutelasticallybeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads.
ThereareavarietyofusecaseswheredeployingoneormorereadreplicaDBInstancesishelpful.Somecommonscenariosinclude:
ScalebeyondthecapacityofasingleDBInstanceforread-heavyworkloads.
HandlereadtrafficwhilethesourceDBInstanceisunavailable.Forexample,duetoI/Osuspensionforbackupsorscheduledmaintenance,youcandirectreadtraffictoareplica.
OffloadreportingordatawarehousingscenariosagainstareplicainsteadoftheprimaryDBInstance.
Forexample,abloggingwebsitemayhaveverylittlewriteactivityexceptfortheoccasionalcomment,andthevastmajorityofdatabaseactivitywillberead-only.Byoffloadingsomeorallofthereadactivitytooneormorereadreplicas,theprimarydatabaseinstancecanfocusonhandlingthewritesandreplicatingthedataouttothereplicas.
ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,MariaDB,andAmazonAurora.AmazonRDSusestheMySQL,MariaDB,andPostgreSQLDBengines’built-inreplicationfunctionalitytocreateaspecialtypeofDBInstance,calledareadreplica,fromasourceDBInstance.UpdatesmadetothesourceDBInstanceareasynchronouslycopiedtothereadreplica.YoucanreducetheloadonyoursourceDBInstancebyroutingreadqueriesfromyourapplicationstothereadreplica.
YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.Toenhanceyourdisasterrecoverycapabilitiesorreducegloballatencies,youcanusecross-regionreadreplicastoservereadtrafficfromaregionclosesttoyourglobalusersormigrateyourdatabasesacrossAWSRegions.
SecuritySecuringyourAmazonRDSDBInstancesandrelationaldatabasesrequiresacomprehensiveplanthataddressesthemanylayerscommonlyfoundindatabase-drivensystems.Thisincludestheinfrastructureresources,thedatabase,andthenetwork.
ProtectaccesstoyourinfrastructureresourcesusingAWSIdentityandAccessManagement(IAM)policiesthatlimitwhichactionsAWSadministratorscanperform.Forexample,somekeyadministratoractionsthatcanbecontrolledinIAMincludeCreateDBInstanceandDeleteDBInstance.
AnothersecuritybestpracticeistodeployyourAmazonRDSDBInstancesintoaprivatesubnetwithinanAmazonVirtualPrivateCloud(AmazonVPC)thatlimitsnetworkaccesstotheDBInstance.BeforeyoucandeployintoanAmazonVPC,youmustfirstcreateaDBsubnetgroupthatpredefineswhichsubnetsareavailableforAmazonRDSdeployments.Further,restrictnetworkaccessusingnetworkAccessControlLists(ACLs)andsecuritygroupstolimitinboundtraffictoashortlistofsourceIPaddresses.
Atthedatabaselevel,youwillalsoneedtocreateusersandgrantthempermissionstoreadandwritetoyourdatabases.Accesstothedatabaseiscontrolledusingthedatabaseengine-specificaccesscontrolandusermanagementmechanisms.Createusersatthedatabaselevelwithstrongpasswordsthatyourotatefrequently.
Finally,protecttheconfidentialityofyourdataintransitandatrestwithmultipleencryptioncapabilitiesprovidedwithAmazonRDS.Securityfeaturesvaryslightlyfromoneenginetoanother,butallenginessupportsomeformofin-transitencryptionandalsoat-restencryption.YoucansecurelyconnectaclienttoarunningDBInstanceusingSecureSocketsLayer(SSL)toprotectdataintransit.EncryptionatrestispossibleforallenginesusingtheAmazonKeyManagementService(KMS)orTransparentDataEncryption(TDE).Alllogs,backups,andsnapshotsareencryptedforanencryptedAmazonRDSinstance.
AmazonRedshiftAmazonRedshiftisafast,powerful,fullymanaged,petabyte-scaledatawarehouseserviceinthecloud.AmazonRedshiftisarelationaldatabasedesignedforOLAPscenariosandoptimizedforhigh-performanceanalysisandreportingofverylargedatasets.Traditionaldatawarehousesaredifficultandexpensivetomanage,especiallyforlargedatasets.AmazonRedshiftnotonlysignificantlylowersthecostofadatawarehouse,butitalsomakesiteasytoanalyzelargeamountsofdataveryquickly.
AmazonRedshiftgivesyoufastqueryingcapabilitiesoverstructureddatausingstandardSQLcommandstosupportinteractivequeryingoverlargedatasets.WithconnectivityviaODBCorJDBC,AmazonRedshiftintegrateswellwithvariousdataloading,reporting,datamining,andanalyticstools.AmazonRedshiftisbasedonindustry-standardPostgreSQL,somostexistingSQLclientapplicationswillworkwithonlyminimalchanges.
AmazonRedshiftmanagestheworkneededtosetup,operate,andscaleadatawarehouse,fromprovisioningtheinfrastructurecapacitytoautomatingongoingadministrativetaskssuchasbackupsandpatching.AmazonRedshiftautomaticallymonitorsyournodesanddrivestohelpyourecoverfromfailures.
ClustersandNodesThekeycomponentofanAmazonRedshiftdatawarehouseisacluster.Aclusteriscomposedofaleadernodeandoneormorecomputenodes.Theclientapplicationinteractsdirectlyonlywiththeleadernode,andthecomputenodesaretransparenttoexternalapplications.
AmazonRedshiftcurrentlyhassupportforsixdifferentnodetypesandeachhasadifferentmixofCPU,memory,andstorage.Thesixnodetypesaregroupedintotwocategories:DenseComputeandDenseStorage.TheDenseComputenodetypessupportclustersupto326TBusingfastSSDs,whiletheDenseStoragenodessupportclustersupto2PBusinglargemagneticdisks.Eachclusterconsistsofoneleadernodeandoneormorecomputenodes.Figure7.2showstheinternalcomponentsofanAmazonRedshiftdatawarehousecluster.
FIGURE7.2AmazonRedshiftclusterarchitecture
Eachclustercontainsoneormoredatabases.Userdataforeachtableisdistributedacrossthecomputenodes.YourapplicationorSQLclientcommunicateswithAmazonRedshiftusingstandardJDBCorODBCconnectionswiththeleadernode,whichinturncoordinatesqueryexecutionwiththecomputenodes.Yourapplicationdoesnotinteractdirectlywiththecomputenodes.
Thediskstorageforacomputenodeisdividedintoanumberofslices.Thenumberofslicespernodedependsonthenodesizeoftheclusterandtypicallyvariesbetween2and16.Thenodesallparticipateinparallelqueryexecution,workingondatathatisdistributedasevenlyaspossibleacrosstheslices.
Youcanincreasequeryperformancebyaddingmultiplenodestoacluster.Whenyousubmitaquery,AmazonRedshiftdistributesandexecutesthequeryinparallelacrossallofacluster’scomputenodes.AmazonRedshiftalsospreadsyourtabledataacrossallcomputenodesinaclusterbasedonadistributionstrategythatyouspecify.Thispartitioningofdataacrossmultiplecomputeresourcesallowsyoutoachievehighlevelsofperformance.
AmazonRedshiftallowsyoutoresizeaclustertoaddstorageandcomputecapacityovertimeasyourneedsevolve.Youcanalsochangethenodetypeofaclusterandkeeptheoverallsizethesame.Wheneveryouperformaresizeoperation,AmazonRedshiftwillcreateanew
clusterandmigratedatafromtheoldclustertothenewone.Duringaresizeoperation,thedatabasewillbecomeread-onlyuntiltheoperationisfinished.
TableDesignEachAmazonRedshiftclustercansupportoneormoredatabases,andeachdatabasecancontainmanytables.LikemostSQL-baseddatabases,youcancreateatableusingtheCREATETABLEcommand.Thiscommandspecifiesthenameofthetable,thecolumns,andtheirdatatypes.Inadditiontocolumnsanddatatypes,theAmazonRedshiftCREATETABLEcommandalsosupportsspecifyingcompressionencodings,distributionstrategy,andsortkeys.
DataTypesAmazonRedshiftcolumnssupportawiderangeofdatatypes.ThisincludescommonnumericdatatypeslikeINTEGER,DECIMAL,andDOUBLE,textdatatypeslikeCHARandVARCHAR,anddatedatatypeslikeDATEandTIMESTAMP.AdditionalcolumnscanbeaddedtoatableusingtheALTERTABLEcommand;however,existingcolumnscannotbemodified.
CompressionEncodingOneofthekeyperformanceoptimizationsusedbyAmazonRedshiftisdatacompression.Whenloadingdataforthefirsttimeintoanemptytable,AmazonRedshiftwillautomaticallysampleyourdataandselectthebestcompressionschemeforeachcolumn.Alternatively,youcanspecifycompressionencodingonaper-columnbasisaspartoftheCREATETABLEcommand.
DistributionStrategyOneoftheprimarydecisionswhencreatingatableinAmazonRedshiftishowtodistributetherecordsacrossthenodesandslicesinacluster.YoucanconfigurethedistributionstyleofatabletogiveAmazonRedshifthintsastohowthedatashouldbepartitionedtobestmeetyourquerypatterns.Whenyourunaquery,theoptimizershiftstherowstothecomputenodesasneededtoperformanyjoinsandaggregates.Thegoalinselectingatabledistributionstyleistominimizetheimpactoftheredistributionstepbyputtingthedatawhereitneedstobebeforethequeryisperformed.
Thedatadistributionstylethatyouselectforyourdatabasehasabigimpactonqueryperformance,storagerequirements,dataloading,andmaintenance.Bychoosingthebestdistributionstrategyforeachtable,youcanbalanceyourdatadistributionandsignificantlyimproveoverallsystemperformance.Whencreatingatable,youcanchoosebetweenoneofthreedistributionstyles:EVEN,KEY,orALL.
EVENdistributionThisisthedefaultoptionandresultsinthedatabeingdistributedacrosstheslicesinauniformfashionregardlessofthedata.
KEYdistributionWithKEYdistribution,therowsaredistributedaccordingtothevaluesinonecolumn.Theleadernodewillstorematchingvaluesclosetogetherandincreasequeryperformanceforjoins.
ALLdistributionWithALL,afullcopyoftheentiretableisdistributedtoeverynode.Thisisusefulforlookuptablesandotherlargetablesthatarenotupdatedfrequently.
SortKeysAnotherimportantdecisiontomakeduringthecreationofatableiswhethertospecifyoneormorecolumnsassortkeys.Sortingenablesefficienthandlingofrange-restrictedpredicates.Ifaqueryusesarange-restrictedpredicate,thequeryprocessorcanrapidlyskipoverlargenumbersofblocksduringtablescans.
Thesortkeysforatablecanbeeithercompoundorinterleaved.Acompoundsortkeyismoreefficientwhenquerypredicatesuseaprefix,whichisasubsetofthesortkeycolumnsinorder.Aninterleavedsortkeygivesequalweighttoeachcolumninthesortkey,soquerypredicatescanuseanysubsetofthecolumnsthatmakeupthesortkey,inanyorder.
LoadingDataAmazonRedshiftsupportsstandardSQLcommandslikeINSERTandUPDATEtocreateandmodifyrecordsinatable.Forbulkoperations,however,AmazonRedshiftprovidestheCOPYcommandasamuchmoreefficientalternativethanrepeatedlycallingINSERT.
ACOPYcommandcanloaddataintoatableinthemostefficientmanner,anditsupportsmultipletypesofinputdatasources.ThefastestwaytoloaddataintoAmazonRedshiftisdoingbulkdataloadsfromflatfilesstoredinanAmazonSimpleStorageService(AmazonS3)bucketorfromanAmazonDynamoDBtable.
WhenloadingdatafromAmazonS3,theCOPYcommandcanreadfrommultiplefilesatthesametime.AmazonRedshiftcandistributetheworkloadtothenodesandperformtheloadprocessinparallel.Insteadofhavingonesinglelargefilewithyourdata,youcanenableparallelprocessingbyhavingaclusterwithmultiplenodesandmultipleinputfiles.
Aftereachbulkdataloadthatmodifiesasignificantamountofdata,youwillneedtoperformaVACUUMcommandtoreorganizeyourdataandreclaimspaceafterdeletes.ItisalsorecommendedtorunanANALYZEcommandtoupdatetablestatistics.
DatacanalsobeexportedoutofAmazonRedshiftusingtheUNLOADcommand.ThiscommandcanbeusedtogeneratedelimitedtextfilesandstoretheminAmazonS3.
QueryingDataAmazonRedshiftallowsyoutowritestandardSQLcommandstoqueryyourtables.BysupportingcommandslikeSELECTtoqueryandjointables,analystscanquicklybecomeproductiveusingAmazonRedshiftorintegrateiteasily.Forcomplexqueries,youcananalyzethequeryplantobetteroptimizeyouraccesspattern.YoucanmonitortheperformanceoftheclusterandspecificqueriesusingAmazonCloudWatchandtheAmazonRedshiftwebconsole.
ForlargeAmazonRedshiftclusterssupportingmanyusers,youcanconfigureWorkloadManagement(WLM)toqueueandprioritizequeries.WLMallowsyoudefinemultiplequeuesandsettheconcurrencylevelforeachqueue.Forexample,youmightwanttohaveonequeuesetupforlong-runningqueriesandlimittheconcurrencyandanotherqueueforshort-runningqueriesandallowhigherlevelsofconcurrency.
SnapshotsSimilartoAmazonRDS,youcancreatepoint-in-timesnapshotsofyourAmazonRedshiftcluster.AsnapshotcanthenbeusedtorestoreacopyorcreateacloneofyouroriginalAmazonRedshiftcluster.SnapshotsaredurablystoredinternallyinAmazonS3byAmazonRedshift.
AmazonRedshiftsupportsbothautomatedsnapshotsandmanualsnapshots.Withautomatedsnapshots,AmazonRedshiftwillperiodicallytakesnapshotsofyourclusterandkeepacopyforaconfigurableretentionperiod.YoucanalsoperformmanualsnapshotsandsharethemacrossregionsorevenwithotherAWSaccounts.Manualsnapshotsareretaineduntilyouexplicitlydeletethem.
SecuritySecuringyourAmazonRedshiftclusterissimilartosecuringotherdatabasesrunninginthecloud.Yoursecurityplanshouldincludecontrolstoprotecttheinfrastructureresources,thedatabaseschema,therecordsinthetable,andnetworkaccess.Byaddressingsecurityateverylevel,youcansecurelyoperateanAmazonRedshiftdatawarehouseinthecloud.
ThefirstlayerofsecuritycomesattheinfrastructurelevelusingIAMpoliciesthatlimittheactionsAWSadministratorscanperform.WithIAM,youcancreatepoliciesthatgrantotherAWSusersthepermissiontocreateandmanagethelifecycleofacluster,includingscaling,backup,andrecoveryoperations.
Atthenetworklevel,AmazonRedshiftclusterscanbedeployedwithintheprivateIPaddressspaceofyourAmazonVPCtorestrictoverallnetworkconnectivity.Fine-grainednetworkaccesscanbefurtherrestrictedusingsecuritygroupsandnetworkACLsatthesubnetlevel.
Inadditiontocontrollinginfrastructureaccessattheinfrastructurelevel,youmustprotectaccessatthedatabaselevel.WhenyouinitiallycreateanAmazonRedshiftcluster,youwillcreateamasteruseraccountandpassword.ThemasteraccountcanbeusedtologintotheAmazonRedshiftdatabaseandtocreatemoreusersandgroups.Eachdatabaseusercanbegrantedpermissiontoschemas,tables,andotherdatabaseobjects.ThesepermissionsareindependentfromtheIAMpoliciesusedtocontrolaccesstotheinfrastructureresourcesandtheAmazonRedshiftclusterconfiguration.
ProtectingthedatastoredinAmazonRedshiftisanotherimportantaspectofyoursecuritydesign.AmazonRedshiftsupportsencryptionofdataintransitusingSSL-encryptedconnections,andalsoencryptionofdataatrestusingmultipletechniques.Toencryptdataatrest,AmazonRedshiftintegrateswithKMSandAWSCloudHSMforencryptionkeymanagementservices.Encryptionatrestandintransitassistsinmeetingcompliancerequirements,suchasfortheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCIDSS),andprovidesadditionalprotectionsforyourdata.
AmazonDynamoDBAmazonDynamoDBisafullymanagedNoSQLdatabaseservicethatprovidesfastandlow-latencyperformancethatscaleswithease.AmazonDynamoDBletsyouoffloadtheadministrativeburdensofoperatingadistributedNoSQLdatabaseandfocusontheapplication.AmazonDynamoDBsignificantlysimplifiesthehardwareprovisioning,setupandconfiguration,replication,softwarepatching,andclusterscalingofNoSQLdatabases.
AmazonDynamoDBisdesignedtosimplifydatabaseandclustermanagement,provideconsistentlyhighlevelsofperformance,simplifyscalabilitytasks,andimprovereliabilitywithautomaticreplication.DeveloperscancreateatableinAmazonDynamoDBandwriteanunlimitednumberofitemswithconsistentlatency.
AmazonDynamoDBcanprovideconsistentperformancelevelsbyautomaticallydistributingthedataandtrafficforatableovermultiplepartitions.Afteryouconfigureacertainreadorwritecapacity,AmazonDynamoDBwillautomaticallyaddenoughinfrastructurecapacitytosupporttherequestedthroughputlevels.Asyourdemandchangesovertime,youcanadjustthereadorwritecapacityafteratablehasbeencreated,andAmazonDynamoDBwilladdorremoveinfrastructureandadjusttheinternalpartitioningaccordingly.
Tohelpmaintainconsistent,fastperformancelevels,alltabledataisstoredonhigh-performanceSSDdiskdrives.Performancemetrics,includingtransactionsrates,canbemonitoredusingAmazonCloudWatch.Inadditiontoprovidinghigh-performancelevels,AmazonDynamoDBalsoprovidesautomatichigh-availabilityanddurabilityprotectionsbyreplicatingdataacrossmultipleAvailabilityZoneswithinanAWSRegion.
DataModelThebasiccomponentsoftheAmazonDynamoDBdatamodelincludetables,items,andattributes.AsdepictedinFigure7.3,atableisacollectionofitemsandeachitemisacollectionofoneormoreattributes.Eachitemalsohasaprimarykeythatuniquelyidentifiestheitem.
FIGURE7.3Table,items,attributesrelationship
Inarelationaldatabase,atablehasapredefinedschemasuchasthetablename,primarykey,listofitscolumnnames,andtheirdatatypes.Allrecordsstoredinthetablemusthavethesamesetofcolumns.Incontrast,AmazonDynamoDBonlyrequiresthatatablehaveaprimarykey,butitdoesnotrequireyoutodefinealloftheattributenamesanddatatypesinadvance.IndividualitemsinanAmazonDynamoDBtablecanhaveanynumberofattributes,althoughthereisalimitof400KBontheitemsize.
Eachattributeinanitemisaname/valuepair.Anattributecanbeasingle-valuedormulti-valuedset.Forexample,abookitemcanhavetitleandauthorsattributes.Eachbookhasonetitlebutcanhavemanyauthors.Themulti-valuedattributeisaset;duplicatevaluesarenotallowed.DataisstoredinAmazonDynamoDBinkey/valuepairssuchasthefollowing:
{
Id=101
ProductName="Book101Title"
ISBN="123–1234567890"
Authors=["Author1","Author2"]
Price=2.88
Dimensions="8.5x11.0x0.5"
PageCount=500
InPublication=1
ProductCategory="Book"
}
ApplicationscanconnecttotheAmazonDynamoDBserviceendpointandsubmitrequestsoverHTTP/Storeadandwriteitemstoatableoreventocreateanddeletetables.DynamoDBprovidesawebserviceAPIthatacceptsrequestsinJSONformat.WhileyoucouldprogramdirectlyagainstthewebserviceAPIendpoints,mostdeveloperschoosetousetheAWSSoftwareDevelopmentKit(SDK)tointeractwiththeiritemsandtables.TheAWSSDKisavailableinmanydifferentlanguagesandprovidesasimplified,high-levelprogramminginterface.
DataTypes
AmazonDynamoDBgivesyoualotofflexibilitywithyourdatabaseschema.Unlikeatraditionalrelationaldatabasethatrequiresyoutodefineyourcolumntypesaheadoftime,DynamoDBonlyrequiresaprimarykeyattribute.Eachitemthatisaddedtothetablecanthenaddadditionalattributes.Thisgivesyouflexibilityovertimetoexpandyourschemawithouthavingtorebuildtheentiretableanddealwithrecordversiondifferenceswithapplicationlogic.
Whenyoucreateatableorasecondaryindex,youmustspecifythenamesanddatatypesofeachprimarykeyattribute(partitionkeyandsortkey).AmazonDynamoDBsupportsawiderangeofdatatypesforattributes.Datatypesfallintothreemajorcategories:Scalar,Set,orDocument.
ScalarDataTypesAscalartyperepresentsexactlyonevalue.AmazonDynamoDBsupportsthefollowingfivescalartypes:
StringTextandvariablelengthcharactersupto400KB.SupportsUnicodewithUTF8encoding
NumberPositiveornegativenumberwithupto38digitsofprecision
BinaryBinarydata,images,compressedobjectsupto400KBinsize
BooleanBinaryflagrepresentingatrueorfalsevalue
NullRepresentsablank,empty,orunknownstate.String,Number,Binary,Booleancannotbeempty.
SetDataTypesSetsareusefultorepresentauniquelistofoneormorescalarvalues.Eachvalueinasetneedstobeuniqueandmustbethesamedatatype.Setsdonotguaranteeorder.AmazonDynamoDBsupportsthreesettypes:StringSet,NumberSet,andBinarySet.
StringSetUniquelistofStringattributes
NumberSetUniquelistofNumberattributes
BinarySetUniquelistofBinaryattributes
DocumentDataTypesDocumenttypeisusefultorepresentmultiplenestedattributes,similartothestructureofaJSONfile.AmazonDynamoDBsupportstwodocumenttypes:ListandMap.MultipleListsandMapscanbecombinedandnestedtocreatecomplexstructures.
ListEachListcanbeusedtostoreanorderedlistofattributesofdifferentdatatypes.
MapEachMapcanbeusedtostoreanunorderedlistofkey/valuepairs.MapscanbeusedtorepresentthestructureofanyJSONobject.
PrimaryKeyWhenyoucreateatable,youmustspecifytheprimarykeyofthetableinadditiontothetablename.Likearelationaldatabase,theprimarykeyuniquelyidentifieseachiteminthetable.Aprimarykeywillpointtoexactlyoneitem.AmazonDynamoDBsupportstwotypesofprimarykeys,andthisconfigurationcannotbechangedafteratablehasbeencreated:
PartitionKeyTheprimarykeyismadeofoneattribute,apartition(orhash)key.AmazonDynamoDBbuildsanunorderedhashindexonthisprimarykeyattribute.
PartitionandSortKeyTheprimarykeyismadeoftwoattributes.Thefirstattributeisthepartitionkeyandthesecondoneisthesort(orrange)key.Eachiteminthetableisuniquelyidentifiedbythecombinationofitspartitionandsortkeyvalues.Itispossiblefortwoitemstohavethesamepartitionkeyvalue,butthosetwoitemsmusthavedifferentsortkeyvalues.
Furthermore,eachprimarykeyattributemustbedefinedastypestring,number,orbinary.AmazonDynamoDBusesthepartitionkeytodistributetherequesttotherightpartition.
Ifyouareperformingmanyreadsorwritespersecondonthesameprimarykey,youwillnotbeabletofullyusethecomputecapacityoftheAmazonDynamoDBcluster.Abestpracticeistomaximizeyourthroughputbydistributingrequestsacrossthefullrangeofpartitionkeys.
ProvisionedCapacityWhenyoucreateanAmazonDynamoDBtable,youarerequiredtoprovisionacertainamountofreadandwritecapacitytohandleyourexpectedworkloads.Basedonyourconfigurationsettings,DynamoDBwillthenprovisiontherightamountofinfrastructurecapacitytomeetyourrequirementswithsustained,low-latencyresponsetimes.Overallcapacityismeasuredinreadandwritecapacityunits.ThesevaluescanlaterbescaledupordownbyusinganUpdateTableaction.
EachoperationagainstanAmazonDynamoDBtablewillconsumesomeoftheprovisionedcapacityunits.Thespecificamountofcapacityunitsconsumeddependslargelyonthesizeoftheitem,butalsoonotherfactors.Forreadoperations,theamountofcapacityconsumedalsodependsonthereadconsistencyselectedintherequest.Readmoreabouteventualandstrongconsistencylaterinthischapter.
Forexample,givenatablewithoutalocalsecondaryindex,youwillconsume1capacityunitifyoureadanitemthatis4KBorsmaller.Similarly,forwriteoperationsyouwillconsume1capacityunitifyouwriteanitemthatis1KBorsmaller.Thismeansthatifyoureadanitemthatis110KB,youwillconsume28capacityunits,or110/4=27.5roundedupto28.Forreadoperationsthatarestronglyconsistent,theywillusetwicethenumberofcapacityunits,or56inthisexample.
YoucanuseAmazonCloudWatchtomonitoryourAmazonDynamoDBcapacityandmakescalingdecisions.Thereisarichsetofmetrics,includingConsumedReadCapacityUnitsandConsumedWriteCapacityUnits.Ifyoudoexceedyourprovisionedcapacityforaperiodoftime,requestswillbethrottledandcanberetriedlater.YoucanmonitorandalertontheThrottledRequestsmetricusingAmazonCloudWatchtonotifyyouofchangingusagepatterns.
SecondaryIndexesWhenyoucreateatablewithapartitionandsortkey(formerlyknownasahashandrangekey),youcanoptionallydefineoneormoresecondaryindexesonthattable.Asecondaryindexletsyouquerythedatainthetableusinganalternatekey,inadditiontoqueriesagainsttheprimarykey.AmazonDynamoDBsupportstwodifferentkindsofindexes:
GlobalSecondaryIndexTheglobalsecondaryindexisanindexwithapartitionandsortkeythatcanbedifferentfromthoseonthetable.Youcancreateordeleteaglobalsecondaryindexonatableatanytime.
LocalSecondaryIndexThelocalsecondaryindexisanindexthathasthesamepartitionkeyattributeastheprimarykeyofthetable,butadifferentsortkey.Youcanonlycreatealocalsecondaryindexwhenyoucreateatable.
Secondaryindexesallowyoutosearchalargetableefficientlyandavoidanexpensivescanoperationtofinditemswithspecificattributes.Theseindexesallowyoutosupportdifferentqueryaccesspatternsandusecasesbeyondwhatispossiblewithonlyaprimarykey.Whileatablecanonlyhaveonelocalsecondaryindex,youcanhavemultipleglobalsecondaryindexes.
AmazonDynamoDBupdateseachsecondaryindexwhenanitemismodified.Theseupdatesconsumewritecapacityunits.Foralocalsecondaryindex,itemupdateswillconsumewritecapacityunitsfromthemaintable,whileglobalsecondaryindexesmaintaintheirownprovisionedthroughputsettingsseparatefromthetable.
WritingandReadingDataAfteryoucreateatablewithaprimarykeyandindexes,youcanbeginwritingandreadingitemstothetable.AmazonDynamoDBprovidesmultipleoperationsthatletyoucreate,update,anddeleteindividualitems.AmazonDynamoDBalsoprovidesmultiplequeryingoptionsthatletyousearchatableoranindexorretrievebackaspecificitemorabatchofitems.
WritingItemsAmazonDynamoDBprovidesthreeprimaryAPIactionstocreate,update,anddeleteitems:PutItem,UpdateItem,andDeleteItem.UsingthePutItemaction,youcancreateanewitemwithoneormoreattributes.CallstoPutItemwillupdateanexistingitemiftheprimarykeyalreadyexists.PutItemonlyrequiresatablenameandaprimarykey;anyadditionalattributesareoptional.
TheUpdateItemactionwillfindexistingitemsbasedontheprimarykeyandreplacetheattributes.Thisoperationcanbeusefultoonlyupdateasingleattributeandleavetheotherattributesunchanged.UpdateItemcanalsobeusedtocreateitemsiftheydon’talreadyexist.Finally,youcanremoveanitemfromatablebyusingDeleteItemandspecifyingaspecificprimarykey.
TheUpdateItemactionalsoprovidessupportforatomiccounters.Atomiccountersallowyoutoincrementanddecrementavalueandareguaranteedtobeconsistentacrossmultipleconcurrentrequests.Forexample,acounterattributeusedtotracktheoverallscoreofamobilegamecanbeupdatedbymanyclientsatthesametime.
Thesethreeactionsalsosupportconditionalexpressionsthatallowyoutoperformvalidationbeforeanactionisapplied.Forexample,youcanapplyaconditionalexpressiononPutItemthatchecksthatcertainconditionsaremetbeforetheitemiscreated.Thiscanbeusefultopreventaccidentaloverwritesortoenforcesometypeofbusinesslogicchecks.
ReadingItems
Afteranitemhasbeencreated,itcanberetrievedthroughadirectlookupbycallingtheGetItemactionorthroughasearchusingtheQueryorScanaction.GetItemallowsyoutoretrieveanitembasedonitsprimarykey.Alloftheitem’sattributesarereturnedbydefault,andyouhavetheoptiontoselectindividualattributestofilterdowntheresults.
Ifaprimarykeyiscomposedofapartitionkey,theentirepartitionkeyneedstobespecifiedtoretrievetheitem.Iftheprimarykeyisacompositeofapartitionkeyandasortkey,GetItemwillrequireboththepartitionandsortkeyaswell.EachcalltoGetItemconsumesreadcapacityunitsbasedonthesizeoftheitemandtheconsistencyoptionselected.
Bydefault,aGetItemoperationperformsaneventuallyconsistentread.Youcanoptionallyrequestastronglyconsistentreadinstead;thiswillconsumeadditionalreadcapacityunits,butitwillreturnthemostup-to-dateversionoftheitem.
EventualConsistencyWhenreadingitemsfromAmazonDynamoDB,theoperationcanbeeithereventuallyconsistentorstronglyconsistent.AmazonDynamoDBisadistributedsystemthatstoresmultiplecopiesofanitemacrossanAWSRegiontoprovidehighavailabilityandincreaseddurability.WhenanitemisupdatedinAmazonDynamoDB,itstartsreplicatingacrossmultipleservers.BecauseAmazonDynamoDBisadistributedsystem,thereplicationcantakesometimetocomplete.Becauseofthiswerefertothedataasbeingeventuallyconsistent,meaningthatareadrequestimmediatelyafterawriteoperationmightnotshowthelatestchange.Insomecases,theapplicationneedstoguaranteethatthedataisthelatestandAmazonDynamoDBoffersanoptionforstronglyconsistentreads.
EventuallyConsistentReadsWhenyoureaddata,theresponsemightnotreflecttheresultsofarecentlycompletedwriteoperation.Theresponsemightincludesomestaledata.Consistencyacrossallcopiesofthedataisusuallyreachedwithinasecond;ifyourepeatyourreadrequestafterashorttime,theresponsereturnsthelatestdata.
StronglyConsistentReadsWhenyouissueastronglyconsistentreadrequest,AmazonDynamoDBreturnsaresponsewiththemostup-to-datedatathatreflectsupdatesbyallpriorrelatedwriteoperationstowhichAmazonDynamoDBreturnedasuccessfulresponse.Astronglyconsistentreadmightbelessavailableinthecaseofanetworkdelayoroutage.Youcanrequestastronglyconsistentreadresultbyspecifyingoptionalparametersinyourrequest.
BatchOperationsAmazonDynamoDBalsoprovidesseveraloperationsdesignedforworkingwithlargebatchesofitems,includingBatchGetItemandBatchWriteItem.UsingtheBatchWriteItemaction,youcanperformupto25itemcreatesorupdateswithasingleoperation.Thisallowsyoutominimizetheoverheadofeachindividualcallwhenprocessinglargenumbersofitems.
SearchingItemsAmazonDynamoDBalsogivesyoutwooperations,QueryandScan,thatcanbeusedtosearchatableoranindex.AQueryoperationistheprimarysearchoperationyoucanusetofinditemsinatableorasecondaryindexusingonlyprimarykeyattributevalues.EachQueryrequiresapartitionkeyattributenameandadistinctvaluetosearch.Youcanoptionally
provideasortkeyvalueanduseacomparisonoperatortorefinethesearchresults.Resultsareautomaticallysortedbytheprimarykeyandarelimitedto1MB.
IncontrasttoaQuery,aScanoperationwillreadeveryiteminatableorasecondaryindex.Bydefault,aScanoperationreturnsallofthedataattributesforeveryiteminthetableorindex.Eachrequestcanreturnupto1MBofdata.Itemscanbefilteredoutusingexpressions,butthiscanbearesource-intensiveoperation.IftheresultsetforaQueryoraScanexceeds1MB,youcanpagethroughtheresultsin1MBincrements.
Formostoperations,performingaQueryoperationinsteadofaScanoperationwillbethemostefficientoption.PerformingaScanoperationwillresultinafullscanoftheentiretableorsecondaryindex,thenitfiltersoutvaluestoprovidethedesiredresult.UseaQueryoperationwhenpossibleandavoidaScanonalargetableorindexforonlyasmallnumberofitems.
ScalingandPartitioningAmazonDynamoDBisafullymanagedservicethatabstractsawaymostofthecomplexityinvolvedinbuildingandscalingaNoSQLcluster.Youcancreatetablesthatcanscaleuptoholdavirtuallyunlimitednumberofitemswithconsistentlow-latencyperformance.AnAmazonDynamoDBtablecanscalehorizontallythroughtheuseofpartitionstomeetthestorageandperformancerequirementsofyourapplication.Eachindividualpartitionrepresentsaunitofcomputeandstoragecapacity.Awell-designedapplicationwilltakethepartitionstructureofatableintoaccounttodistributereadandwritetransactionsevenlyandachievehightransactionratesatlowlatencies.
AmazonDynamoDBstoresitemsforasingletableacrossmultiplepartitions,asrepresentedinFigure7.4.AmazonDynamoDBdecideswhichpartitiontostoretheiteminbasedonthepartitionkey.Thepartitionkeyisusedtodistributethenewitemamongalloftheavailablepartitions,anditemswiththesamepartitionkeywillbestoredonthesamepartition.
FIGURE7.4Tablepartitioning
Asthenumberofitemsinatablegrows,additionalpartitionscanbeaddedbysplittinganexistingpartition.Theprovisionedthroughputconfiguredforatableisalsodividedevenlyamongthepartitions.Provisionedthroughputallocatedtoapartitionisentirelydedicatedtothatpartition,andthereisnosharingofprovisionedthroughputacrosspartitions.
Whenatableiscreated,AmazonDynamoDBconfiguresthetable’spartitionsbasedonthedesiredreadandwritecapacity.Onesinglepartitioncanholdabout10GBofdataandsupportsamaximumof3,000readcapacityunitsor1,000writecapacityunits.Forpartitionsthatarenotfullyusingtheirprovisionedcapacity,AmazonDynamoDBprovidessomeburstcapacitytohandlespikesintraffic.Aportionofyourunusedcapacitywillbereservedtohandleburstsforshortperiods.
Asstorageorcapacityrequirementschange,AmazonDynamoDBcansplitapartitiontoaccommodatemoredataorhigherprovisionedrequestrates.Afterapartitionissplit,however,itcannotbemergedbacktogether.Keepthisinmindwhenplanningtoincreaseprovisionedcapacitytemporarilyandthenloweritagain.Witheachadditionalpartitionadded,itsshareoftheprovisionedcapacityisreduced.
Toachievethefullamountofrequestthroughputprovisionedforatable,keepyourworkloadspreadevenlyacrossthepartitionkeyvalues.Distributingrequestsacrosspartitionkeyvaluesdistributestherequestsacrosspartitions.Forexample,ifatablehas10,000readcapacityunitsconfiguredbutallofthetrafficishittingonepartitionkey,youwillnotbeabletogetmorethanthe3,000maximumreadcapacityunitsthatonepartitioncansupport.
TomaximizeAmazonDynamoDBthroughput,createtableswithapartitionkeythathasalargenumberofdistinctvaluesandensurethatthevaluesarerequestedfairlyuniformly.Addingarandomelementthatcanbecalculatedorhashedisonecommontechniquetoimprovepartitiondistribution.
SecurityAmazonDynamoDBgivesyougranularcontrolovertheaccessrightsandpermissionsforusersandadministrators.AmazonDynamoDBintegrateswiththeIAMservicetoprovidestrongcontroloverpermissionsusingpolicies.Youcancreateoneormorepoliciesthatallowordenyspecificoperationsonspecifictables.Youcanalsouseconditionstorestrictaccesstoindividualitemsorattributes.
Alloperationsmustfirstbeauthenticatedasavaliduserorusersession.ApplicationsthatneedtoreadandwritefromAmazonDynamoDBneedtoobtainasetoftemporaryorpermanentaccesscontrolkeys.Whilethesekeyscouldbestoredinaconfigurationfile,abestpracticeisforapplicationsrunningonAWStouseIAMAmazonEC2instanceprofilestomanagecredentials.IAMAmazonEC2instanceprofilesorrolesallowyoutoavoidstoringsensitivekeysinconfigurationfilesthatmustthenbesecured.
Formobileapplications,abestpracticeistouseacombinationofwebidentityfederationwiththeAWSSecurityTokenService(AWSSTS)toissuetemporarykeysthatexpireafterashortperiod.
AmazonDynamoDBalsoprovidessupportforfine-grainedaccesscontrolthatcanrestrictaccesstospecificitemswithinatableorevenspecificattributeswithinanitem.Forexample,youmaywanttolimitausertoonlyaccesshisorheritemswithinatableandpreventaccesstoitemsassociatedwithadifferentuser.UsingconditionsinanIAMpolicyallowsyoutorestrictwhichactionsausercanperform,onwhichtables,andtowhichattributesausercanreadorwrite.
AmazonDynamoDBStreamsAcommonrequirementformanyapplicationsistokeeptrackofrecentchangesandthenperformsomekindofprocessingonthechangedrecords.AmazonDynamoDBStreamsmakesiteasytogetalistofitemmodificationsforthelast24-hourperiod.Forexample,youmightneedtocalculatemetricsonarollingbasisandupdateadashboard,ormaybesynchronizetwotablesorlogactivityandchangestoanaudittrail.WithAmazonDynamoDBStreams,thesetypesofapplicationsbecomeeasiertobuild.
AmazonDynamoDBStreamsallowsyoutoextendapplicationfunctionalitywithoutmodifyingtheoriginalapplication.Byreadingthelogofactivitychangesfromthestream,youcanbuildnewintegrationsorsupportnewreportingrequirementsthatweren’tpartoftheoriginaldesign.
Eachitemchangeisbufferedinatime-orderedsequenceorstreamthatcanbereadbyotherapplications.Changesareloggedtothestreaminnearreal-timeandallowyoutorespondquicklyorchaintogetherasequenceofeventsbasedonamodification.
StreamscanbeenabledordisabledforanAmazonDynamoDBtableusingtheAWSManagementConsole,CommandLineInterface(CLI),orSDK.Astreamconsistsofstreamrecords.EachstreamrecordrepresentsasingledatamodificationintheAmazonDynamoDBtabletowhichthestreambelongs.Eachstreamrecordisassignedasequencenumber,reflectingtheorderinwhichtherecordwaspublishedtothestream.
Streamrecordsareorganizedintogroups,alsoreferredtoasshards.Eachshardactsasacontainerformultiplestreamrecordsandcontainsinformationonaccessinganditeratingthroughtherecords.Shardsliveforamaximumof24hoursand,withfluctuatingloadlevels,couldbesplitoneormoretimesbeforetheyareeventuallyclosed.
Tobuildanapplicationthatreadsfromashard,itisrecommendedtousetheAmazonDynamoDBStreamsKinesisAdapter.TheKinesisClientLibrary(KCL)simplifiestheapplicationlogicrequiredtoprocessreadingrecordsfromstreamsandshards.
SummaryInthischapter,youlearnedthebasicconceptsofrelationaldatabases,datawarehouses,andNoSQLdatabases.YoualsolearnedaboutthebenefitsandfeaturesofAWSmanageddatabaseservicesAmazonRDS,AmazonRedshift,andAmazonDynamoDB.
AmazonRDSmanagestheheavyliftinginvolvedinadministeringadatabaseinfrastructureandsoftwareandletsyoufocusonbuildingtherelationalschemasthatbestfityourusecaseandtheperformancetuningtooptimizeyourqueries.
AmazonRDSsupportspopularopen-sourceandcommercialdatabaseenginesandprovidesaconsistentoperationalmodelforcommonadministrativetasks.Increaseyouravailabilitybyrunningamaster-slaveconfigurationacrossAvailabilityZonesusingMulti-AZdeployment.Scaleyourapplicationandincreaseyourdatabasereadperformanceusingreadreplicas.
AmazonRedshiftallowsyoutodeployadatawarehouseclusterthatisoptimizedforanalyticsandreportingworkloadswithinminutes.AmazonRedshiftdistributesyourrecordsusingcolumnarstorageandparallelizesyourqueryexecutionacrossmultiplecomputenodestodeliverfastqueryperformance.AmazonRedshiftclusterscanbescaledupordowntosupportlarge,petabyte-scaledatabasesusingSSDormagneticdiskstorage.
ConnecttoAmazonRedshiftclustersusingstandardSQLclientswithJDBC/ODBCdriversandexecuteSQLqueriesusingmanyofthesameanalyticsandETLtoolsthatyouusetoday.LoaddataintoyourAmazonRedshiftclustersusingtheCOPYcommandtobulkimportflatfilesstoredinAmazonS3,thenrunstandardSELECTcommandstosearchandquerythetable.
BackupbothyourAmazonRDSdatabasesandAmazonRedshiftclustersusingautomatedandmanualsnapshotstoallowforpoint-in-timerecovery.SecureyourAmazonRDSandAmazonRedshiftdatabasesusingacombinationofIAM,database-levelaccesscontrol,network-levelaccesscontrol,anddataencryptiontechniques.
AmazonDynamoDBsimplifiestheadministrationandoperationsofaNoSQLdatabaseinthecloud.AmazonDynamoDBallowsyoutocreatetablesquicklythatcanscaletoanunlimitednumberofitemsandconfigureveryhighlevelsofprovisionedreadandwritecapacity.
AmazonDynamoDBtablesprovideaflexibledatastoragemechanismthatonlyrequiresaprimarykeyandallowsforoneormoreattributes.AmazonDynamoDBsupportsbothsimplescalardatatypeslikeStringandNumber,andalsomorecomplexstructuresusingListandMap.SecureyourAmazonDynamoDBtablesusingIAMandrestrictaccesstoitemsandattributesusingfine-grainedaccesscontrol.
AmazonDynamoDBwillhandlethedifficulttaskofclusterandpartitionmanagementandprovideyouwithahighlyavailabledatabasetablethatreplicatesdataacrossAvailabilityZonesforincreaseddurability.TrackandprocessrecentchangesbytappingintoAmazonDynamoDBStreams.
ExamEssentialsKnowwhatarelationaldatabaseis.Arelationaldatabaseconsistsofoneormoretables.CommunicationtoandfromrelationaldatabasesusuallyinvolvessimpleSQLqueries,suchas“Addanewrecord,”or“Whatisthecostofproductx?”ThesesimplequeriesareoftenreferredtoasOLTP.
UnderstandwhichdatabasesaresupportedbyAmazonRDS.AmazonRDScurrentlysupportssixrelationaldatabaseengines:
MicrosoftSQLServer
MySQLServer
Oracle
PostgreSQL
MariaDB
AmazonAurora
UnderstandtheoperationalbenefitsofusingAmazonRDS.AmazonRDSisamanagedserviceprovidedbyAWS.AWSisresponsibleforpatching,antivirus,andmanagementoftheunderlyingguestOSforAmazonRDS.AmazonRDSgreatlysimplifiestheprocessofsettingasecondaryslavewithreplicationforfailoverandsettingupreadreplicastooffloadqueries.
RememberthatyoucannotaccesstheunderlyingOSforAmazonRDSDBinstances.YoucannotuseRemoteDesktopProtocol(RDP)orSSHtoconnecttotheunderlyingOS.IfyouneedtoaccesstheOS,installcustomsoftwareoragents,orwanttouseadatabaseenginenotsupportedbyAmazonRDS,considerrunningyourdatabaseonAmazonEC2instead.
KnowthatyoucanincreaseavailabilityusingAmazonRDSMulti-AZdeployment.AddfaulttolerancetoyourAmazonRDSdatabaseusingMulti-AZdeployment.YoucanquicklysetupasecondaryDBInstanceinanotherAvailabilityZonewithMulti-AZforrapidfailover.
UnderstandtheimportanceofRPOandRTO.EachapplicationshouldsetRPOandRTOtargetstodefinetheamountofacceptabledatalossandalsotheamountoftimerequiredtorecoverfromanincident.AmazonRDScanbeusedtomeetawiderangeofRPOandRTOrequirements.
UnderstandthatAmazonRDShandlesMulti-AZfailoverforyou.IfyourprimaryAmazonRDSInstancebecomesunavailable,AWSfailsovertoyoursecondaryinstanceinanotherAvailabilityZoneautomatically.ThisfailoverisdonebypointingyourexistingdatabaseendpointtoanewIPaddress.Youdonothavetochangetheconnectionstringmanually;AWShandlestheDNSchangeautomatically.
RememberthatAmazonRDSreadreplicasareusedforscalingoutandincreasedperformance.Thisreplicationfeaturemakesiteasytoscaleoutyourread-intensivedatabases.ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,
andAmazonAurora.YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.AmazonRDSusesnativereplicationtopropagatechangesmadetoasourceDBInstancetoanyassociatedreadreplicas.AmazonRDSalsosupportscross-regionreadreplicastoreplicatechangesasynchronouslytoanothergeographyorAWSRegion.
KnowwhataNoSQLdatabaseis.NoSQLdatabasesarenon-relationaldatabases,meaningthatyoudonothavetohaveanexistingtablecreatedinwhichtostoreyourdata.NoSQLdatabasescomeinthefollowingformats:
Documentdatabases
Graphstores
Key/valuestores
Wide-columnstores
RememberthatAmazonDynamoDBisAWSNoSQLservice.YoushouldrememberthatforNoSQLdatabases,AWSprovidesafullymanagedservicecalledAmazonDynamoDB.AmazonDynamoDBisanextremelyfastNoSQLdatabasewithpredictableperformanceandhighscalability.YoucanuseAmazonDynamoDBtocreateatablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofpartitionstohandletherequestcapacityspecifiedbythecustomerandtheamountofdatastored,whilemaintainingconsistentandfastperformance.
Knowwhatadatawarehouseis.Adatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositorywouldbeusedforqueryandanalysisusingOLAP.Anorganization’smanagementtypicallyusesadatawarehousetocompilereportsonspecificdata.Datawarehousesareusuallyqueriedwithhighlycomplexqueries.
RememberthatAmazonRedshiftisAWSdatawarehouseservice.YoushouldrememberthatAmazonRedshiftisAmazon’sdatawarehouseservice.AmazonRedshiftorganizesthedatabycolumninsteadofstoringdataasaseriesofrows.Becauseonlythecolumnsinvolvedinthequeriesareprocessedandcolumnardataisstoredsequentiallyonthestoragemedia,column-basedsystemsrequirefarfewerI/Os,whichgreatlyimprovesqueryperformance.Anotheradvantageofcolumnardatastorageistheincreasedcompression,whichcanfurtherreduceoverallI/O.
ExercisesInordertopasstheexam,youshouldpracticedeployingdatabasesandcreatingtablesusingAmazonRDS,AmazonDynamoDB,andAmazonRedshift.Remembertodeleteanyresourcesyouprovisiontominimizeanycharges.
EXERCISE7.1
CreateaMySQLAmazonRDSInstance1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRDSConsole.
2. LaunchanewAmazonRDSDBInstance,andselectMySQLCommunityEditioninstanceasthedatabaseengine.
3. ConfiguretheDBInstancetouseMulti-AZandGeneralPurpose(SSD)storage.
Warning:ThisisnoteligibleforAWSFreeTier;youwillincurasmallchargebyprovisioningthisinstance.
4. SettheDBInstanceidentifieranddatabasenametoMySQL123,andconfigurethemasterusernameandpassword.
5. Validatetheconfigurationsettings,andlaunchtheDBInstance.
6. ReturntothelistoftheAmazonRDSinstances.YouwillseethestatusofyourAmazonRDSdatabaseasCreating.Itmaytakeupto20minutestocreateyournewAmazonRDSinstance.
YouhaveprovisionedyourfirstAmazonRDSinstanceusingMulti-AZ.
EXERCISE7.2
SimulateaFailoverfromOneAZtoAnotherInthisexercise,youwilluseMulti-AZfailovertosimulateafailoverfromoneAvailabilityZonetoanother.
1. IntheAmazonRDSConsole,viewthelistofDBInstances.
2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.
3. Selecttheinstance,andissueaRebootcommandfromtheactionsmenu.
4. Confirmthereboot.
YouhavenowsimulatedafailoverfromoneAvailabilityZonetoanotherusingMulti-AZfailover.Thefailovershouldtakeapproximatelytwoorthreeminutes.
EXERCISE7.3
CreateaReadReplicaInthisexercise,youwillcreateareadreplicaofyourexistingMySQL123DBserver.
1. IntheAmazonRDSConsole,viewthelistofDBInstances.
2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.
3. Selecttheinstance,andissueaCreateReadReplicacommandfromthelistofactions.
4. Configurethenameofthereadreplicaandanyothersettings.Createthereplica.
5. Waitforthereplicatobecreated,whichcantypicallytakeseveralminutes.Whenitiscomplete,deleteboththeMySQL123andMySQLReadReplicadatabasesbyclickingthecheckboxesnexttothem,clickingtheInstanceActionsdrop-downbox,andthenclickingDelete.
Intheprecedingexercises,youcreatedanewAmazonRDSMySQLinstancewithMulti-AZenabled.YouthensimulatedafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstance.Afterthat,youscaledyourAmazonRDSinstanceoutbycreatingareadreplicaoftheprimarydatabase.DeletetheDBInstance.
EXERCISE7.4
ReadandWritefromaDynamoDBTableInthisexercise,youwillcreateanAmazonDynamoDBtableandthenreadandwritetoitusingtheAWSManagementConsole.
1. LogintotheAWSManagementConsole,andviewtheAmazonDynamoDBconsole.
2. CreateanewtablenamedUserProfilewithapartitionkeyofuserIDoftypeString.
3. Afterthetablehasbeencreated,viewthelistofitemsinthetable.
4. UsingtheAmazonDynamoDBconsole,createandsaveanewiteminthetable.SettheuserIDtoU01,andappendanotherStringattributecallednamewithavalueofJoe.
5. Performascanonthetabletoretrievethenewitem.
YouhavenowcreatedasimpleAmazonDynamoDBtable,putanewitem,andretrieveditusingScan.DeletetheDynamoDBtable.
EXERCISE7.5
LaunchaRedshiftClusterInthisexercise,youwillcreateadatawarehouseusingAmazonRedshiftandthenreadandwritetoitusingtheAWSManagementConsole.
1. LogintotheAWSManagementConsole,andviewtheAmazonRedshiftConsole.
2. Createanewcluster,configuringthedatabasename,username,andpassword.
3. ConfiguretheclustertobesinglenodeusingoneSSD-backedstoragenode.
4. LaunchtheclusterintoanAmazonVPCusingtheappropriatesecuritygroup.
5. InstallandconfigureSQLWorkbenchonyourlocalcomputer,andconnecttothenewcluster.
6. CreateanewtableandloaddatausingtheCOPYcommand.
YouhavenowcreatedanAmazonRedshiftclusterandconnectedtoitusingastandardSQLclient.Deletetheclusterwhenyouhavecompletedtheexercise.
ReviewQuestions1. WhichAWSdatabaseserviceisbestsuitedfortraditionalOnlineTransactionProcessing(OLTP)?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. ElasticDatabase
2. WhichAWSdatabaseserviceisbestsuitedfornon-relationaldatabases?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. AmazonDynamoDB
3. YouareasolutionsarchitectworkingforamediacompanythathostsitswebsiteonAWS.Currently,thereisasingleAmazonElasticComputeCloud(AmazonEC2)InstanceonAWSwithMySQLinstalledlocallytothatAmazonEC2Instance.Youhavebeenaskedtomakethecompany’sproductionenvironmentmoreresilientandtoincreaseperformance.YousuggestthatthecompanysplitouttheMySQLdatabaseontoanAmazonRDSInstancewithMulti-AZenabled.Thisaddressesthecompany’sincreasedresiliencyrequirements.Nowyouneedtosuggesthowyoucanincreaseperformance.Ninety-ninepercentofthecompany’sendusersaremagazinesubscriberswhowillbereadingadditionalarticlesonthewebsite,soonlyonepercentofenduserswillneedtowritedatatothesite.Whatshouldyousuggesttoincreaseperformance?
A. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentothesecondarycopyoftheMulti-AZdatabase.
B. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentotheprimarycopyoftheMulti-AZdatabase.
C. Recommendthatthecompanyusereadreplicas,anddistributethetrafficacrossmultiplereadreplicas.
D. MigratetheMySQLdatabasetoAmazonRedshifttotakeadvantageofcolumnarstorageandmaximizeperformance.
4. WhichAWSCloudserviceisbestsuitedforOnlineAnalyticsProcessing(OLAP)?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. AmazonDynamoDB
5. YouhavebeenusingAmazonRelationalDatabaseService(AmazonRDS)forthelast
yeartorunanimportantapplicationwithautomatedbackupsenabled.Oneofyourteammembersisperformingroutinemaintenanceandaccidentallydropsanimportanttable,causinganoutage.Howcanyourecoverthemissingdatawhileminimizingthedurationoftheoutage?
A. Performanundooperationandrecoverthetable.
B. RestorethedatabasefromarecentautomatedDBsnapshot.
C. RestoreonlythedroppedtablefromtheDBsnapshot.
D. Thedatacannotberecovered.
6. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportMulti-AZ?
A. Allofthem
B. MicrosoftSQLServer,MySQL,andOracle
C. Oracle,AmazonAurora,andPostgreSQL
D. MySQL
7. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportreadreplicas?
A. MicrosoftSQLServerandOracle
B. MySQL,MariaDB,PostgreSQL,andAurora
C. Aurora,MicrosoftSQLServer,andOracle
D. MySQLandPostgreSQL
8. YourteamisbuildinganorderprocessingsystemthatwillspanmultipleAvailabilityZones.Duringtesting,theteamwantedtotesthowtheapplicationwillreacttoadatabasefailover.Howcanyouenablethistypeoftest?
A. ForceaMulti-AZfailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceusingtheAmazonRDSconsole.
B. TerminatetheDBinstance,andcreateanewone.Updatetheconnectionstring.
C. Createasupportcaseaskingforafailover.
D. Itisnotpossibletotestafailover.
9. YouareasystemadministratorwhosecompanyhasmoveditsproductiondatabasetoAWS.YourcompanymonitorsitsestateusingAmazonCloudWatch,whichsendsalarmsusingAmazonSimpleNotificationService(AmazonSNS)toyourmobilephone.Onenight,yougetanalertthatyourprimaryAmazonRelationalDatabaseService(AmazonRDS)Instancehasgonedown.YouhaveMulti-AZenabledonthisinstance.Whatshouldyoudotoensurethefailoverhappensquickly?
A. UpdateyourDomainNameSystem(DNS)topointtothesecondaryinstance’snewIPaddress,forcingyourapplicationtofailovertothesecondaryinstance.
B. ConnecttoyourserverusingSecureShell(SSH)andupdateyourconnectionstrings
sothatyourapplicationcancommunicatetothesecondaryinstanceinsteadofthefailedprimaryinstance.
C. Takeasnapshotofthesecondaryinstanceandcreateanewinstanceusingthissnapshot,thenupdateyourconnectionstringtopointtothenewinstance.
D. Noactionisnecessary.Yourconnectionstringpointstothedatabaseendpoint,andAWSautomaticallyupdatesthisendpointtopointtoyoursecondaryinstance.
10. Youareworkingforasmallorganizationwithoutadedicateddatabaseadministratoronstaff.YouneedtoinstallMicrosoftSQLServerEnterpriseeditionquicklytosupportanaccountingbackofficeapplicationonAmazonRelationalDatabaseService(AmazonRDS).Whatshouldyoudo?
A. LaunchanAmazonRDSDBInstance,andselectMicrosoftSQLServerEnterpriseEditionundertheBringYourOwnLicense(BYOL)model.
B. ProvisionSQLServerEnterpriseEditionusingtheLicenseIncludedoptionfromtheAmazonRDSConsole.
C. SQLServerEnterpriseeditionisonlyavailableviatheCommandLineInterface(CLI).Installthecommand-linetoolsonyourlaptop,andthenprovisionyournewAmazonRDSInstanceusingtheCLI.
D. YoucannotuseSQLServerEnterpriseeditiononAmazonRDS.YoushouldinstallthisontoadedicatedAmazonElasticComputeCloud(AmazonEC2)Instance.
11. Youarebuildingthedatabasetierforanenterpriseapplicationthatgetsoccasionalactivitythroughouttheday.Whichstoragetypeshouldyouselectasyourdefaultoption?
A. Magneticstorage
B. GeneralPurposeSolidStateDrive(SSD)
C. ProvisionedIOPS(SSD)
D. StorageAreaNetwork(SAN)-attached
12. Youaredesigningane-commercewebapplicationthatwillscaletopotentiallyhundredsofthousandsofconcurrentusers.Whichdatabasetechnologyisbestsuitedtoholdthesessionstateforlargenumbersofconcurrentusers?
A. RelationaldatabaseusingAmazonRelationalDatabaseService(AmazonRDS)
B. NoSQLdatabasetableusingAmazonDynamoDB
C. DatawarehouseusingAmazonRedshift
D. AmazonSimpleStorageService(AmazonS3)
13. WhichofthefollowingtechniquescanyouusetohelpyoumeetRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements?(Choose3answers)
A. DBsnapshots
B. DBoptiongroups
C. Readreplica
D. Multi-AZdeployment
14. WhenusingAmazonRelationalDatabaseService(AmazonRDS)Multi-AZ,howcanyouoffloadreadrequestsfromtheprimary?(Choose2answers)
A. Configuretheconnectionstringoftheclientstoconnecttothesecondarynodeandperformreadswhiletheprimaryisusedforwrites.
B. AmazonRDSautomaticallysendswritestotheprimaryandsendsreadstothesecondary.
C. AddareadreplicaDBinstance,andconfiguretheclient’sapplicationlogictousearead-replica.
D. CreateacachingenvironmentusingElastiCachetocachefrequentlyuseddata.Updatetheapplicationlogictoread/writefromthecache.
15. Youarebuildingalargeorderprocessingsystemandareresponsibleforsecuringthedatabase.Whichactionswillyoutaketoprotectthedata?(Choose3answers)
A. AdjustAWSIdentityandAccessManagement(IAM)permissionsforadministrators.
B. ConfiguresecuritygroupsandnetworkAccessControlLists(ACLs)tolimitnetworkaccess.
C. Configuredatabaseusers,andgrantpermissionstodatabaseobjects.
D. Installanti-virussoftwareontheAmazonRDSDBInstance.
16. YourteammanagesapopularwebsiterunningAmazonRelationalDatabaseService(AmazonRDS)MySQLbackend.TheMarketingdepartmenthasjustinformedyouaboutanupcomingtelevisioncommercialthatwilldrivethousandsofnewvisitorstothewebsite.Howcanyouprepareyourdatabasetohandletheload?(Choose3answers)
A. VerticallyscaletheDBInstancebyselectingamorepowerfulinstanceclass.
B. Createreadreplicastooffloadreadrequestsandupdateyourapplication.
C. UpgradethestoragefromMagneticvolumestoGeneralPurposeSolidStateDrive(SSD)volumes.
D. UpgradetoAmazonRedshiftforfastercolumnarstorage.
17. YouarebuildingaphotomanagementapplicationthatmaintainsmetadataonmillionsofimagesinanAmazonDynamoDBtable.Whenaphotoisretrieved,youwanttodisplaythemetadatanexttotheimage.WhichAmazonDynamoDBoperationwillyouusetoretrievethemetadataattributesfromthetable?
A. Scanoperation
B. Searchoperation
C. Queryoperation
D. Findoperation
18. YouarecreatinganAmazonDynamoDBtablethatwillcontainmessagesforasocialchatapplication.Thistablewillhavethefollowingattributes:Username(String),Timestamp(Number),Message(String).Whichattributeshouldyouuseasthepartitionkey?The
sortkey?
A. Username,Timestamp
B. Username,Message
C. Timestamp,Message
D. Message,Timestamp
19. WhichofthefollowingstatementsaboutAmazonDynamoDBtablesaretrue?(Choose2answers)
A. Globalsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.
B. Localsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.
C. Youcanonlyhaveoneglobalsecondaryindex.
D. Youcanonlyhaveonelocalsecondaryindex.
20. WhichofthefollowingworkloadsareagoodfitforrunningonAmazonRedshift?(Choose2answers)
A. Transactionaldatabasesupportingabusye-commerceorderprocessingwebsite
B. Reportingdatabasesupportingback-officeanalytics
C. Datawarehouseusedtoaggregatemultipledisparatedatasources
D. Managesessionstateanduserprofiledataforthousandsofconcurrentusers
Chapter8SQS,SWF,andSNSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService[AmazonRDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud[AmazonEC2])
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Domain4.0:Troubleshooting
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions
ThereareanumberofservicesundertheApplicationandMobileServicessectionoftheAWSManagementConsole.Atthetimeofwritingthischapter,application
servicesincludeAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(AmazonSWF),AmazonAppStream,AmazonElasticTranscoder,AmazonSimpleEmailService(AmazonSES),AmazonCloudSearch,andAmazonAPIGateway.MobileservicesincludeAmazonCognito,AmazonSimpleNotificationService(AmazonSNS),AWSDeviceFarm,andAmazonMobileAnalytics.Thischapterfocusesonthecoreservicesyouarerequiredtobefamiliarwithtopasstheexam:AmazonSQS,AmazonSWF,andAmazonSNS.
AmazonSimpleQueueService(AmazonSQS)AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.YoucanuseAmazonSQStotransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobecontinuouslyavailable.
WithAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.UsingAmazonSQS,youcanstoreapplicationmessagesonreliableandscalableinfrastructure,enablingyoutomovedatabetweendistributedcomponentstoperformdifferenttasksasneeded.
AnAmazonSQSqueueisbasicallyabufferbetweentheapplicationcomponentsthatreceivedataandthosecomponentsthatprocessthedatainyoursystem.Ifyourprocessingserverscannotprocesstheworkfastenough(perhapsduetoaspikeintraffic),theworkisqueuedsothattheprocessingserverscangettoitwhentheyareready.Thismeansthatworkisnotlostduetoinsufficientresources.
AmazonSQSensuresdeliveryofeachmessageatleastonceandsupportsmultiplereadersandwritersinteractingwiththesamequeue.Asinglequeuecanbeusedsimultaneouslybymanydistributedapplicationcomponents,withnoneedforthosecomponentstocoordinatewithoneanothertosharethequeue.Althoughmostofthetimeeachmessagewillbedeliveredtoyourapplicationexactlyonce,youshoulddesignyoursystemtobeidempotent(thatis,itmustnotbeadverselyaffectedifitprocessesthesamemessagemorethanonce).
AmazonSQSisengineeredtobehighlyavailableandtodelivermessagesreliablyandefficiently;however,theservicedoesnotguaranteeFirstIn,FirstOut(FIFO)deliveryofmessages.Formanydistributedapplications,eachmessagecanstandonitsownand,ifallmessagesaredelivered,theorderisnotimportant.Ifyoursystemrequiresthatorderbepreserved,youcanplacesequencinginformationineachmessagesothatyoucanreorderthemessageswhentheyareretrievedfromthequeue.
MessageLifecycleThediagramandprocessshowninFigure8.1describesthelifecycleofanAmazonSQSmessage,calledMessageA,fromcreationtodeletion.Assumethataqueuealreadyexists.
FIGURE8.1Messagelifecycle
1. Component1sendsMessageAtoaqueue,andthemessageisredundantlydistributedacrosstheAmazonSQSservers.
2. WhenComponent2isreadytoprocessamessage,itretrievesmessagesfromthequeue,andMessageAisreturned.WhileMessageAisbeingprocessed,itremainsinthequeueandisnotreturnedtosubsequentlyreceiverequestsforthedurationofthevisibilitytimeout.
3. Component2deletesMessageAfromthequeuetopreventthemessagefrombeingreceivedandprocessedagainafterthevisibilitytimeoutexpires.
DelayQueuesandVisibilityTimeoutsDelayqueuesallowyoutopostponethedeliveryofnewmessagesinaqueueforaspecificnumberofseconds.Ifyoucreateadelayqueue,anymessagethatyousendtothatqueuewillbeinvisibletoconsumersforthedurationofthedelayperiod.Tocreateadelayqueue,useCreateQueueandsettheDelaySecondsattributetoanyvaluebetween0and900(15minutes).YoucanalsoturnanexistingqueueintoadelayqueuebyusingSetQueueAttributestosetthequeue’sDelaySecondsattribute.ThedefaultvalueforDelaySecondsis0.
Delayqueuesaresimilartovisibilitytimeoutsinthatbothfeaturesmakemessages
unavailabletoconsumersforaspecificperiodoftime.Thedifferenceisthatadelayqueuehidesamessagewhenitisfirstaddedtothequeue,whereasavisibilitytimeouthidesamessageonlyafterthatmessageisretrievedfromthequeue.Figure8.2illustratesthefunctioningofavisibilitytimeout.
FIGURE8.2Diagramofvisibilitytimeout
Whenamessageisinthequeuebutisneitherdelayednorinavisibilitytimeout,itisconsideredtobe“inflight.”Youcanhaveupto120,000messagesinflightatanygiventime.AmazonSQSsupportsupto12hours’maximumvisibilitytimeout.
SeparateThroughputfromLatency
LikemanyotherAWSCloudservices,AmazonSQSisaccessedthroughHTTPrequest-response,andatypicalAmazonSQSrequest-responsetakesabitlessthan20msfromAmazonElasticComputeCloud(AmazonEC2).Thismeansthatfromasinglethread,youcan,onaverage,issue50+ApplicationProgrammingInterface(API)requestspersecond(abitfewerforbatchAPIrequests,butthosedomorework).Thethroughputscaleshorizontally,sothemorethreadsandhostsyouadd,thehigherthethroughput.Usingthisscalingmodel,someAWScustomershavequeuesthatprocessthousandsofmessageseverysecond.
QueueOperations,UniqueIDs,andMetadataThedefinedoperationsforAmazonSQSqueuesareCreateQueue,ListQueues,DeleteQueue,SendMessage,SendMessageBatch,ReceiveMessage,DeleteMessage,DeleteMessageBatch,PurgeQueue,ChangeMessageVisibility,ChangeMessageVisibilityBatch,SetQueueAttributes,GetQueueAttributes,GetQueueUrl,ListDeadLetterSourceQueues,AddPermission,andRemovePermission.OnlytheAWSaccountowneroranAWSidentitythathasbeengrantedtheproperpermissionscanperformoperations.
YourmessagesareidentifiedviaagloballyuniqueIDthatAmazonSQSreturnswhenthemessageisdeliveredtothequeue.TheIDisn’trequiredinordertoperformanyfurtheractionsonthemessage,butit’susefulfortrackingwhetheraparticularmessageinthequeuehasbeenreceived.Whenyoureceiveamessagefromthequeue,theresponseincludesa
receipthandle,whichyoumustprovidewhendeletingthemessage.
QueueandMessageIdentifiersAmazonSQSusesthreeidentifiersthatyouneedtobefamiliarwith:queueURLs,messageIDs,andreceipthandles.
Whencreatinganewqueue,youmustprovideaqueuenamethatisuniquewithinthescopeofallofyourqueues.AmazonSQSassignseachqueueanidentifiercalledaqueueURL,whichincludesthequeuenameandothercomponentsthatAmazonSQSdetermines.Wheneveryouwanttoperformanactiononaqueue,youmustprovideitsqueueURL.
AmazonSQSassignseachmessageauniqueIDthatitreturnstoyouintheSendMessageresponse.Thisidentifierisusefulforidentifyingmessages,butnotethattodeleteamessage,youneedthemessage’sreceipthandleinsteadofthemessageID.ThemaximumlengthofamessageIDis100characters.
Eachtimeyoureceiveamessagefromaqueue,youreceiveareceipthandleforthatmessage.Thehandleisassociatedwiththeactofreceivingthemessage,notwiththemessageitself.Asstatedpreviously,todeletethemessageortochangethemessagevisibility,youmustprovidethereceipthandleandnotthemessageID.Thismeansyoumustalwaysreceiveamessagebeforeyoucandeleteit(thatis,youcan’tputamessageintothequeueandthenrecallit).Themaximumlengthofareceipthandleis1,024characters.
MessageAttributesAmazonSQSprovidessupportformessageattributes.Messageattributesallowyoutoprovidestructuredmetadataitems(suchastimestamps,geospatialdata,signatures,andidentifiers)aboutthemessage.Messageattributesareoptionalandseparatefrom,butsentalongwith,themessagebody.Thereceiverofthemessagecanusethisinformationtohelpdecidehowtohandlethemessagewithouthavingtoprocessthemessagebodyfirst.Eachmessagecanhaveupto10attributes.Tospecifymessageattributes,youcanusetheAWSManagementConsole,AWSSoftwareDevelopmentKits(SDKs),oraqueryAPI.
LongPollingWhenyourapplicationqueriestheAmazonSQSqueueformessages,itcallsthefunctionReceiveMessage.ReceiveMessagewillcheckfortheexistenceofamessageinthequeueandreturnimmediately,eitherwithorwithoutamessage.Ifyourcodemakesperiodiccallstothequeue,thispatternissufficient.IfyourSQSclientisjustaloopthatrepeatedlychecksfornewmessages,however,thenthispatternbecomesproblematic,astheconstantcallstoReceiveMessageburnCPUcyclesandtieupathread.
Inthissituation,youwillwanttouselongpolling.Withlongpolling,yousendaWaitTimeSecondsargumenttoReceiveMessageofupto20seconds.Ifthereisnomessageinthequeue,thenthecallwillwaituptoWaitTimeSecondsforamessagetoappearbeforereturning.Ifamessageappearsbeforethetimeexpires,thecallwillreturnthemessagerightaway.Longpollingdrasticallyreducestheamountofloadonyourclient.
DeadLetterQueues
AmazonSQSprovidessupportfordeadletterqueues.Adeadletterqueueisaqueuethatother(source)queuescantargettosendmessagesthatforsomereasoncouldnotbesuccessfullyprocessed.Aprimarybenefitofusingadeadletterqueueistheabilitytosidelineandisolatetheunsuccessfullyprocessedmessages.Youcanthenanalyzeanymessagessenttothedeadletterqueuetotrytodeterminethecauseoffailure.
Messagescanbesenttoandreceivedfromadeadletterqueue,justlikeanyotherAmazonSQSqueue.YoucancreateadeadletterqueuefromtheAmazonSQSAPIandtheAmazonSQSconsole.
AccessControlWhileIAMcanbeusedtocontroltheinteractionsofdifferentAWSidentitieswithqueues,thereareoftentimeswhenyouwillwanttoexposequeuestootheraccounts.Thesesituationsmayinclude:
YouwanttograntanotherAWSaccountaparticulartypeofaccesstoyourqueue(forexample,SendMessage).
YouwanttograntanotherAWSaccountaccesstoyourqueueforaspecificperiodoftime.
YouwanttograntanotherAWSaccountaccesstoyourqueueonlyiftherequestscomefromyourAmazonEC2instances.
YouwanttodenyanotherAWSaccountaccesstoyourqueue.
WhileclosecoordinationbetweenaccountsmayallowthesetypesofactionsthroughtheuseofIAMroles,thatlevelofcoordinationisfrequentlyunfeasible.
AmazonSQSAccessControlallowsyoutoassignpoliciestoqueuesthatgrantspecificinteractionstootheraccountswithoutthataccounthavingtoassumeIAMrolesfromyouraccount.ThesepoliciesarewritteninthesameJSONlanguageasIAM.Forexample,thefollowingsamplepolicygivesthedeveloperwithAWSaccountnumber111122223333theSendMessagepermissionforthequeuenamed444455556666/queue1intheUSEast(N.Virginia)region.
{
"Version":"2012–10–17",
"Id":"Queue1_Policy_UUID",
"Statement":[
{
"Sid":"Queue1_SendMessage",
"Effect":"Allow",
"Principal":{
"AWS":"111122223333"
},
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sqs:us-east-1:444455556666:queue1"
}
]
}
TradeoffMessageDurabilityandLatency
AmazonSQSdoesnotreturnsuccesstoaSendMessageAPIcalluntilthemessageisdurablystoredinAmazonSQS.Thismakestheprogrammingmodelverysimplewithnodoubtaboutthesafetyofmessages,unlikethesituationwithanasynchronousmessagingmodel.Ifyoudon’tneedadurablemessagingsystem,however,youcanbuildanasynchronous,client-sidebatchingontopofAmazonSQSlibrariesthatdelaysenqueueofmessagestoAmazonSQSandtransmitsasetofmessagesinabatch.Pleasebeawarethatwithaclient-sidebatchingapproach,youcouldpotentiallylosemessageswhenyourclientprocessorclienthostdiesforanyreason.
AmazonSimpleWorkflowService(AmazonSWF)AmazonSWFmakesiteasytobuildapplicationsthatcoordinateworkacrossdistributedcomponents.InAmazonSWF,ataskrepresentsalogicalunitofworkthatisperformedbyacomponentofyourapplication.Coordinatingtasksacrosstheapplicationinvolvesmanaginginter-taskdependencies,scheduling,andconcurrencyinaccordancewiththelogicalflowoftheapplication.AmazonSWFgivesyoufullcontroloverimplementingandcoordinatingtaskswithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
WhenusingAmazonSWF,youimplementworkerstoperformtasks.Theseworkerscanruneitheroncloudinfrastructure,suchasAmazonEC2,oronyourownpremises.Youcancreatelong-runningtasksthatmightfail,timeout,orrequirerestarts,ortasksthatcancompletewithvaryingthroughputandlatency.AmazonSWFstorestasks,assignsthemtoworkerswhentheyareready,monitorstheirprogress,andmaintainstheirstate,includingdetailsontheircompletion.Tocoordinatetasks,youwriteaprogramthatgetsthelateststateofeachtaskfromAmazonSWFandusesittoinitiatesubsequenttasks.AmazonSWFmaintainsanapplication’sexecutionstatedurablysothattheapplicationisresilienttofailuresinindividualcomponents.WithAmazonSWF,youcanimplement,deploy,scale,andmodifytheseapplicationcomponentsindependently.
WorkflowsUsingAmazonSWF,youcanimplementdistributed,asynchronousapplicationsasworkflows.Workflowscoordinateandmanagetheexecutionofactivitiesthatcanberunasynchronouslyacrossmultiplecomputingdevicesandthatcanfeaturebothsequentialandparallelprocessing.
Whendesigningaworkflow,analyzeyourapplicationtoidentifyitscomponenttasks,whicharerepresentedinAmazonSWFasactivities.Theworkflow’scoordinationlogicdeterminestheorderinwhichactivitiesareexecuted.
WorkflowDomainsDomainsprovideawayofscopingAmazonSWFresourceswithinyourAWSaccount.Youmustspecifyadomainforallthecomponentsofaworkflow,suchastheworkflowtypeandactivitytypes.Itispossibletohavemorethanoneworkflowinadomain;however,workflowsindifferentdomainscannotinteractwithoneanother.
WorkflowHistoryTheworkflowhistoryisadetailed,complete,andconsistentrecordofeveryeventthatoccurredsincetheworkflowexecutionstarted.Aneventrepresentsadiscretechangeinyourworkflowexecution’sstate,suchasscheduledandcompletedactivities,tasktimeouts,andsignals.
ActorsAmazonSWFconsistsofanumberofdifferenttypesofprogrammaticfeaturesknownas
actors.Actorscanbeworkflowstarters,deciders,oractivityworkers.TheseactorscommunicatewithAmazonSWFthroughitsAPI.Youcandevelopactorsinanyprogramminglanguage.
Aworkflowstarterisanyapplicationthatcaninitiateworkflowexecutions.Forexample,oneworkflowstartercouldbeane-commercewebsitewhereacustomerplacesanorder.Anotherworkflowstartercouldbeamobileapplicationwhereacustomerorderstakeoutfoodorrequestsataxi.
Activitieswithinaworkflowcanrunsequentially,inparallel,synchronously,orasynchronously.Thelogicthatcoordinatesthetasksinaworkflowiscalledthedecider.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.
Anactivityworkerisasinglecomputerprocess(orthread)thatperformstheactivitytasksinyourworkflow.Differenttypesofactivityworkersprocesstasksofdifferentactivitytypes,andmultipleactivityworkerscanprocessthesametypeoftask.Whenanactivityworkerisreadytoprocessanewactivitytask,itpollsAmazonSWFfortasksthatareappropriateforthatactivityworker.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreturnsthestatusandresulttoAmazonSWF.Theactivityworkerthenpollsforanewtask.
TasksAmazonSWFprovidesactivityworkersanddeciderswithworkassignments,givenasoneofthreetypesoftasks:activitytasks,AWSLambdatasks,anddecisiontasks.
Anactivitytasktellsanactivityworkertoperformitsfunction,suchastocheckinventoryorchargeacreditcard.Theactivitytaskcontainsalltheinformationthattheactivityworkerneedstoperformitsfunction.
AnAWSLambdataskissimilartoanactivitytask,butexecutesanAWSLambdafunctioninsteadofatraditionalAmazonSWFactivity.FormoreinformationabouthowtodefineanAWSLambdatask,seetheAWSdocumentationonAWSLambdatasks.
Adecisiontasktellsadeciderthatthestateoftheworkflowexecutionhaschangedsothatthedecidercandeterminethenextactivitythatneedstobeperformed.Thedecisiontaskcontainsthecurrentworkflowhistory.
AmazonSWFschedulesadecisiontaskwhentheworkflowstartsandwheneverthestateoftheworkflowchanges,suchaswhenanactivitytaskcompletes.Eachdecisiontaskcontainsapaginatedviewoftheentireworkflowexecutionhistory.ThedecideranalyzestheworkflowexecutionhistoryandrespondsbacktoAmazonSWFwithasetofdecisionsthatspecifywhatshouldoccurnextintheworkflowexecution.Essentially,everydecisiontaskgivesthedecideranopportunitytoassesstheworkflowandprovidedirectionbacktoAmazonSWF.
TaskListsTasklistsprovideawayoforganizingthevarioustasksassociatedwithaworkflow.Youcouldthinkoftasklistsassimilartodynamicqueues.WhenataskisscheduledinAmazonSWF,youcanspecifyaqueue(tasklist)toputitin.Similarly,whenyoupollAmazonSWFfora
task,youdeterminewhichqueue(tasklist)togetthetaskfrom.
Tasklistsprovideaflexiblemechanismtoroutetaskstoworkersasyourusecasenecessitates.Tasklistsaredynamicinthatyoudon’tneedtoregisteratasklistorexplicitlycreateitthroughanaction—simplyschedulingataskcreatesthetasklistifitdoesn’talreadyexist.
LongPollingDecidersandactivityworkerscommunicatewithAmazonSWFusinglongpolling.ThedecideroractivityworkerperiodicallyinitiatescommunicationwithAmazonSWF,notifyingAmazonSWFofitsavailabilitytoacceptatask,andthenspecifiesatasklisttogettasksfrom.Longpollingworkswellforhigh-volumetaskprocessing.Decidersandactivityworkerscanmanagetheirowncapacity.
ObjectIdentifiersAmazonSWFobjectsareuniquelyidentifiedbyworkflowtype,activitytype,decisionandactivitytasks,andworkflowexecution:
Aregisteredworkflowtypeisidentifiedbyitsdomain,name,andversion.WorkflowtypesarespecifiedinthecalltoRegisterWorkflowType.
Aregisteredactivitytypeisidentifiedbyitsdomain,name,andversion.ActivitytypesarespecifiedinthecalltoRegisterActivityType.
Eachdecisiontaskandactivitytaskisidentifiedbyauniquetasktoken.ThetasktokenisgeneratedbyAmazonSWFandisreturnedwithotherinformationaboutthetaskintheresponsefromPollForDecisionTaskorPollForActivityTask.Althoughthetokenismostcommonlyusedbytheprocessthatreceivedthetask,thatprocesscouldpassthetokentoanotherprocess,whichcouldthenreportthecompletionorfailureofthetask.
Asingleexecutionofaworkflowisidentifiedbythedomain,workflowID,andrunID.ThefirsttwoareparametersthatarepassedtoStartWorkflowExecution.TherunIDisreturnedbyStartWorkflowExecution.
WorkflowExecutionClosureAfteryoustartaworkflowexecution,itisopen.Anopenworkflowexecutioncanbeclosedascompleted,canceled,failed,ortimedout.Itcanalsobecontinuedasanewexecution,oritcanbeterminated.Thedecider,thepersonadministeringtheworkflow,orAmazonSWFcancloseaworkflowexecution.
LifecycleofaWorkflowExecutionFromthestartofaworkflowexecutiontoitscompletion,AmazonSWFinteractswithactorsbyassigningthemappropriatetasks:eitheractivitytasksordecisiontasks.
Figure8.3showsthelifecycleofanorder-processingworkflowexecutionfromtheperspectiveofcomponentsthatactonit.
FIGURE8.3AmazonSWFworkflowillustration
Thefollowing20stepsdescribetheworkflowdetailedinFigure8.3:
1. AworkflowstartercallsanAmazonSWFactiontostarttheworkflowexecutionforanorder,providingorderinformation.
2. AmazonSWFreceivesthestartworkflowexecutionrequestandthenschedulesthefirstdecisiontask.
3. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,andappliesthecoordinationlogictodeterminethatnopreviousactivitiesoccurred.ItthenmakesadecisiontoscheduletheVerifyOrderactivitywiththeinformationtheactivityworkerneedstoprocessthetaskandreturnsthedecisiontoAmazonSWF.
4. AmazonSWFreceivesthedecision,schedulestheVerifyOrderactivitytask,andwaitsfortheactivitytasktocompleteortimeout.
5. AnactivityworkerthatcanperformtheVerifyOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
6. AmazonSWFreceivestheresultsoftheVerifyOrderactivity,addsthemtotheworkflowhistory,andschedulesadecisiontask.
7. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaChargeCreditCardactivitytaskwithinformationtheactivityworkerneedstoprocessthetask,andreturnsthedecisiontoAmazonSWF.
8. AmazonSWFreceivesthedecision,schedulestheChargeCreditCardactivitytask,andwaitsforittocompleteortimeout.
9. AnactivityworkeractivityreceivestheChargeCreditCardtask,performsit,andreturnstheresultstoAmazonSWF.
10. AmazonSWFreceivestheresultsoftheChargeCreditCardactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
11. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaShipOrderactivitytaskwiththeinformationtheactivityworkerneedstoperformthetask,andreturnsthedecisiontoAmazonSWF.
12. AmazonSWFreceivesthedecision,schedulesaShipOrderactivitytask,andwaitsforit
tocompleteortimeout.
13. AnactivityworkerthatcanperformtheShipOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
14. AmazonSWFreceivestheresultsoftheShipOrderactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
15. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaRecordCompletionactivitytaskwiththeinformationtheactivityworkerneeds,performsthetask,andreturnsthedecisiontoAmazonSWF.
16. AmazonSWFreceivesthedecision,schedulesaRecordCompletionactivitytask,andwaitsforittocompleteortimeout.
17. AnactivityworkerRecordCompletionreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
18. AmazonSWFreceivestheresultsoftheRecordCompletionactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
19. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoclosetheworkflowexecution,andreturnsthedecisionalongwithanyresultstoAmazonSWF.
20. AmazonSWFclosestheworkflowexecutionandarchivesthehistoryforfuturereference.
AmazonSimpleNotificationService(AmazonSNS)AmazonSNSisawebserviceformobileandenterprisemessagingthatenablesyoutosetup,operate,andsendnotifications.Itisdesignedtomakeweb-scalecomputingeasierfordevelopers.AmazonSNSfollowsthepublish-subscribe(pub-sub)messagingparadigm,withnotificationsbeingdeliveredtoclientsusingapushmechanismthateliminatestheneedtocheckperiodically(orpoll)fornewinformationandupdates.Forexample,youcansendnotificationstoApple,Android,FireOS,andWindowsdevices.InChina,youcansendmessagestoAndroiddeviceswithBaiduCloudPush.YoucanuseAmazonSNStosendShortMessageService(SMS)messagestomobiledeviceusersintheUnitedStatesortoemailrecipientsworldwide.
AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.
Figure8.4showsthisprocessatahighlevel.Apublisherissuesamessageonatopic.Themessageisthendeliveredtothesubscribersofthattopicusingdifferentmethods,suchasAmazonSQS,HTTP,HTTPS,email,SMS,andAWSLambda.
FIGURE8.4Diagramoftopicdelivery
WhenusingAmazonSNS,you(astheowner)createatopicandcontrolaccesstoitbydefiningpoliciesthatdeterminewhichpublishersandsubscriberscancommunicatewiththetopicandviawhichtechnologies.Publisherssendmessagestotopicsthattheycreatedorthat
theyhavepermissiontopublishto.Insteadofincludingaspecificdestinationaddressineachmessage,apublishersendsamessagetothetopic,andAmazonSNSdeliversthemessagetoeachsubscriberforthattopic.EachtopichasauniquenamethatidentifiestheAmazonSNSendpointwherepublisherspostmessagesandsubscribersregisterfornotifications.Subscribersreceiveallmessagespublishedtothetopicstowhichtheysubscribe,andallsubscriberstoatopicreceivethesamemessages.
CommonAmazonSNSScenariosAmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.Forexample,youcanuseAmazonSNStorelayeventsinworkflowsystemsamongdistributedcomputerapplications,movedatabetweendatastores,orupdaterecordsinbusinesssystems.Eventupdatesandnotificationsconcerningvalidation,approval,inventorychanges,andshipmentstatusareimmediatelydeliveredtorelevantsystemcomponentsandendusers.AnotherexampleuseforAmazonSNSistorelaytime-criticaleventstomobileapplicationsanddevices.BecauseAmazonSNSisbothhighlyreliableandscalable,itprovidessignificantadvantagestodeveloperswhobuildapplicationsthatrelyonreal-timeevents.
Tohelpillustrate,thefollowingsectionsdescribesomecommonAmazonSNSscenarios,includingfanoutscenarios,applicationandsystemalerts,pushemailandtextmessaging,andmobilepushnotifications.
FanoutAfanoutscenarioiswhenanAmazonSNSmessageissenttoatopicandthenreplicatedandpushedtomultipleAmazonSQSqueues,HTTPendpoints,oremailaddresses(seeFigure8.5).Thisallowsforparallelasynchronousprocessing.Forexample,youcandevelopanapplicationthatsendsanAmazonSNSmessagetoatopicwheneveranorderisplacedforaproduct.ThentheAmazonSQSqueuesthataresubscribedtothattopicwillreceiveidenticalnotificationsfortheneworder.AnAmazonEC2instanceattachedtooneofthequeueshandlestheprocessingorfulfillmentoftheorder,whileanAmazonEC2instanceattachedtoaparallelqueuesendsorderdatatoadatawarehouseapplication/serviceforanalysis.
FIGURE8.5Diagramoffanoutscenario
Anotherwaytousefanoutistoreplicatedatasenttoyourproductionenvironmentandintegrateitwithyourdevelopmentenvironment.Expandinguponthepreviousexample,youcansubscribeyetanotherqueuetothesametopicfornewincomingorders.Then,byattachingthisnewqueuetoyourdevelopmentenvironment,youcancontinuetoimproveandtestyourapplicationusingdatareceivedfromyourproductionenvironment.
ApplicationandSystemAlertsApplicationandsystemalertsareSMSand/oremailnotificationsthataretriggeredbypredefinedthresholds.Forexample,becausemanyAWSCloudservicesuseAmazonSNS,youcanreceiveimmediatenotificationwhenaneventoccurs,suchasaspecificchangetoyourAutoScalinggroupinAWS.
PushEmailandTextMessagingPushemailandtextmessagingaretwowaystotransmitmessagestoindividualsorgroupsviaemailand/orSMS.Forexample,youcanuseAmazonSNStopushtargetednewsheadlinestosubscribersbyemailorSMS.UponreceivingtheemailorSMStext,interestedreaderscanthenchoosetolearnmorebyvisitingawebsiteorlaunchinganapplication.
MobilePushNotificationsMobilepushnotificationsenableyoutosendmessagesdirectlytomobileapplications.Forexample,youcanuseAmazonSNSforsendingnotificationstoanapplication,indicatingthatanupdateisavailable.Thenotificationmessagecanincludealinktodownloadandinstalltheupdate.
SummaryInthischapter,youlearnedaboutthecoreapplicationandmobileservicesthatyouwillbetestedoninyourAWSCertifiedSolutionsArchitect–Associateexam.
AmazonSQSisauniqueservicedesignedbyAmazontohelpyoudecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweendistributedcomponentsofyourapplicationsthatperformdifferenttasks,withoutlosingmessagesorrequiringeachcomponenttobecontinuouslyavailable.
UnderstandAmazonSQSqueueoperations,uniqueIDs,andmetadata.BefamiliarwithqueueandmessageidentifierssuchasqueueURLs,messageIDs,andreceipthandles.Understandrelatedconceptssuchasdelayqueues,messageattributes,longpolling,messagetimers,deadletterqueues,accesscontrol,andtheoverallmessagelifecycle.
AmazonSWFallowsyoutocreateapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatdifferentcomponentsofyourapplicationperform.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.AmazonSWFsimplifiesthecoordinationofworkflowtasks,givingyoufullcontrolovertheirimplementationwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
YoumustbefamiliarwiththefollowingAmazonSWFcomponentsandthelifecycleofaworkflowexecution:
Workers,starters,anddeciders
Workflows
Workflowhistory
Actors
Tasks
Domains
Objectidentifiers
Tasklists
Workflowexecutionclosure
Longpolling
AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.
AmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.UnderstandsomecommonAmazonSNSscenarios,including:
Fanout
Applicationandsystemalerts
Pushemailandtextmessaging
Mobilepushnotifications
ExamEssentialsKnowhowtouseAmazonSQS.AmazonSQSisauniqueservicedesignedbyAmazontohelpyoutodecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweenyourservers.Thisallowsyoutomovedatabetweendistributedcomponentsofyourapplicationsthatperformdifferenttaskswithoutlosingmessagesorrequiringeachcomponentalwaystobeavailable.
UnderstandAmazonSQSvisibilitytimeouts.VisibilitytimeoutisaperiodoftimeduringwhichAmazonSQSpreventsothercomponentsfromreceivingandprocessingamessagebecauseanothercomponentisalreadyprocessingit.Bydefault,themessagevisibilitytimeoutissetto30seconds,andthemaximumthatitcanbeis12hours.
KnowhowtouseAmazonSQSlongpolling.LongpollingallowsyourAmazonSQSclienttopollanAmazonSQSqueue.Ifnothingisthere,ReceiveMessagewaitsbetween1and20seconds.Ifamessagearrivesinthattime,itisreturnedtothecallerassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.ThishelpsyouavoidpollingintightloopsandpreventsyoufromburningthroughCPUcycles,keepingcostslow.
KnowhowtouseAmazonSWF.AmazonSWFallowsyoutomakeapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatpartofyourapplicationperforms.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.ThisiswhereAmazonSWFcanhelpyou.Itgivesyoufullcontroloverimplementingtasksandcoordinatingthemwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
KnowthebasicsofanAmazonSWFworkflow.Aworkflowisacollectionofactivities(coordinatedbylogic)thatcarryoutaspecificgoal.Forexample,aworkflowreceivesacustomerorderandtakeswhateveractionsarenecessarytofulfillit.EachworkflowrunsinanAWSresourcecalledadomain,whichcontrolsthescopeoftheworkflow.AnAWSaccountcanhavemultipledomains,eachofwhichcancontainmultipleworkflows,butworkflowsindifferentdomainscannotinteract.
UnderstandthedifferentAmazonSWFactors.AmazonSWFinteractswithanumberofdifferenttypesofprogrammaticactors.Actorscanbeactivityworkers,workflowstarters,ordeciders.
UnderstandAmazonSNSbasics.AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.
KnowthedifferentprotocolsusedwithAmazonSNS.YoucanusethefollowingprotocolswithAmazonSNS:HTTP,HTTPS,SMS,email,email-JSON,AmazonSQS,andAWSLambda.
ExercisesInthissection,youcreateatopicandsubscriptioninAmazonSNSandthenpublishamessagetoyourtopic.
EXERCISE8.1
CreateanAmazonSNSTopicInthisexercise,youwillcreateanAmazonSNSmessage.
1. Openabrowser,andnavigatetotheAWSManagementConsole.SignintoyourAWSaccount.
2. NavigatetoMobileServicesandthenAmazonSNStoloadtheAmazonSNSdashboard.
3. Createanewtopic,anduseMyTopicforboththetopicnameandthedisplayname.
4. NotethatanAmazonResourceName(ARN)isspecifiedimmediately.
Congratulations!Youhavecreatedyourfirsttopic.
EXERCISE8.2
CreateaSubscriptiontoYourTopicInthisexercise,youwillcreateasubscriptiontothenewlycreatedtopicusingyouremailaddress.Thenyouconfirmyouremailaddress.
1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.
2. SelecttheARNthatyoujustcreated.CreateaSubscriptionwiththeprotocolofEmail,andenteryouremailaddress.
3. CreatetheSubscription.
4. Theservicesendsaconfirmationemailtoyouremailaddress.Beforethissubscriptioncangolive,youneedtoclickonthelinkintheemailthatAWSsentyoutoconfirmyouremailaddress.Checkyouremail,andconfirmyouraddress.
Congratulations!Youhavenowconfirmedyouremailaddressandcreatedasubscriptiontoatopic.
EXERCISE8.3
PublishtoaTopicInthisexercise,youwillpublishamessagetoyournewlycreatedtopic.
1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.
2. NavigatetotheARNlinkforyournewlycreatedtopic.
3. UpdatethesubjectwithMyTestMessage,leavethemessageformattosettoRaw,anduseaTimetoLive(TTL)fieldto300.
4. Publishthemessage.
5. Youshouldreceiveanemailfromyourtopicnamewiththesubjectthatyouspecified.Ifyoudonotreceivethisemail,checkyourjunkfolder.
Congratulations!Inthisexercise,youcreatedanewtopic,addedanewsubscription,andthenpublishedamessagetoyournewtopic.Notethedifferentformatsinwhichyoucanpublishmessages,includingHTTPandAWSLambda.Deleteyournewlycreatedtopicandsubscriptionsafteryouarefinished.
EXERCISE8.4
CreateQueue1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.
2. Createanewqueuewithinputasthequeuename,60secondsforthedefaultvisibility,and5minutesforthemessageretentionperiod.Leavetheremainingdefaultvaluesforthisexercise.
3. Createthequeue.
Congratulations!Inthisexercise,youcreatedanewqueue.Youwillpublishtothisqueueinthefollowingexercise.
EXERCISE8.5
SubscribeQueuetoSNSTopic1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.
2. SubscribeyourqueuetoyourAmazonSNStopic.
3. NowreturntotheAmazonSNSdashboard(intheAWSManagementConsoleunderMobileServices).
4. Publishtoyournewtopic,andusethedefaults.
5. ReturntotheAmazonSQSdashboard(intheAWSManagementConsoleunderApplicationServices).
6. Youwillnoticethereis“1MessageAvailable”intheinputqueue.Checktheinputboxtotheleftoftheinputqueuename.
7. Startpollingformessages.YoushouldseetheAmazonSNSmessageinyourqueue.
8. ClicktheMoreDetailslinktoseethedetailsofthemessage.
9. Reviewyourmessage,andclickClose.
10. Deleteyourmessage.
Congratulations!Inthisexercise,yousubscribedyourinputqueuetoanAmazonSNStopicandviewedyourmessageinyourAmazonSQSqueueinadditiontoreceivingthemessageinsubscribedemail.
ReviewQuestions1. WhichofthefollowingisnotasupportedAmazonSimpleNotificationService(AmazonSNS)protocol?
A. HTTPS
B. AWSLambda
C. Email-JSON
D. AmazonDynamoDB
2. WhenyoucreateanewAmazonSimpleNotificationService(AmazonSNS)topic,whichofthefollowingiscreatedautomatically?
A. AnAmazonResourceName(ARN)
B. Asubscriber
C. AnAmazonSimpleQueueService(AmazonSQS)queuetodeliveryourAmazonSNStopic
D. Amessage
3. WhichofthefollowingarefeaturesofAmazonSimpleNotificationService(AmazonSNS)?(Choose3answers)
A. Publishers
B. Readers
C. Subscribers
D. Topic
4. WhatisthedefaulttimeforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?
A. 30seconds
B. 60seconds
C. 1hour
D. 12hours
5. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?
A. 30seconds
B. 60seconds
C. 1hour
D. 12hours
6. WhichofthefollowingoptionsarevalidpropertiesofanAmazonSimpleQueueService
(AmazonSQS)message?(Choose2answers)
A. Destination
B. MessageID
C. Type
D. Body
7. YouareasolutionsarchitectwhoisworkingforamobileapplicationcompanythatwantstouseAmazonSimpleWorkflowService(AmazonSWF)fortheirnewtakeoutorderingapplication.Theywillhavemultipleworkflowsthatwillneedtointeract.WhatshouldyouadvisethemtodoinstructuringthedesignoftheirAmazonSWFenvironment?
A. Usemultipledomains,eachcontainingasingleworkflow,anddesigntheworkflowstointeractacrossthedifferentdomains.
B. Useasingledomaincontainingmultipleworkflows.Inthismanner,theworkflowswillbeabletointeract.
C. Useasingledomainwithasingleworkflowandcollapseallactivitiestowithinthissingleworkflow.
D. Workflowscannotinteractwitheachother;theywouldbebetteroffusingAmazonSimpleQueueService(AmazonSQS)andAmazonSimpleNotificationService(AmazonSNS)fortheirapplication.
8. InAmazonSimpleWorkflowService(AmazonSWF),whichofthefollowingareactors?(Choose3answers)
A. Activityworkers
B. Workflowstarters
C. Deciders
D. Activitytasks
9. Youaredesigninganewapplication,andyouneedtoensurethatthecomponentsofyourapplicationarenottightlycoupled.YouaretryingtodecidebetweenthedifferentAWSCloudservicestousetoachievethisgoal.Yourrequirementsarethatmessagesbetweenyourapplicationcomponentsmaynotbedeliveredmorethanonce,tasksmustbecompletedineitherasynchronousorasynchronousfashion,andtheremustbesomeformofapplicationlogicthatdecideswhatdowhentaskshavebeencompleted.Whatapplicationserviceshouldyouuse?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonSimpleWorkflowService(AmazonSWF)
C. AmazonSimpleStorageService(AmazonS3)
D. AmazonSimpleEmailService(AmazonSES)
10. HowdoesAmazonSimpleQueueService(AmazonSQS)delivermessages?
A. LastIn,FirstOut(LIFO)
B. FirstIn,FirstOut(FIFO)
C. Sequentially
D. AmazonSQSdoesn’tguaranteedeliveryofyourmessagesinanyparticularorder.
11. Ofthefollowingoptions,whatisanefficientwaytofanoutasingleAmazonSimpleNotificationService(AmazonSNS)messagetomultipleAmazonSimpleQueueService(AmazonSQS)queues?
A. CreateanAmazonSNStopicusingAmazonSNS.ThencreateandsubscribemultipleAmazonSQSqueuessenttotheAmazonSNStopic.
B. CreateoneAmazonSQSqueuethatsubscribestomultipleAmazonSNStopics.
C. AmazonSNSallowsexactlyonesubscribertoeachtopic,sofanoutisnotpossible.
D. CreateanAmazonSNStopicusingAmazonSNS.Createanapplicationthatsubscribestothattopicandduplicatesthemessage.SendcopiestomultipleAmazonSQSqueues.
12. YourapplicationpollsanAmazonSimpleQueueService(AmazonSQS)queuefrequentlyandreturnsimmediately,oftenwithemptyReceiveMessageResponses.WhatisonethingthatcanbedonetoreduceAmazonSQScosts?
A. PricingonAmazonSQSdoesnotincludeacostforservicerequests;therefore,thereisnoconcern.
B. Increasethetimeoutvalueforshortpollingtowaitformessageslongerbeforereturningaresponse.
C. Changethemessagevisibilityvaluetoahighernumber.
D. UselongpollingbysupplyingaWaitTimeSecondsofgreaterthan0secondswhencallingReceiveMessage.
13. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)longpollingtimeout?
A. 10seconds
B. 20seconds
C. 30seconds
D. 1hour
14. WhatisthelongestconfigurablemessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?
A. 30minutes
B. 4days
C. 30seconds
D. 14days
15. WhatisthedefaultmessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?
A. 30minutes
B. 4days
C. 30seconds
D. 14days
16. AmazonSimpleNotificationService(AmazonSNS)isapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.Whattypesofclientsaresupported?
A. JavaandJavaScriptclientsthatsupportpublisherandsubscribertypes
B. ProducersandconsumerssupportedbyCandC++clients
C. MobileandAMQPsupportforpublisherandsubscriberclienttypes
D. Publisherandsubscriberclienttypes
17. InAmazonSimpleWorkflowService(AmazonSWF),adeciderisresponsibleforwhat?
A. Executingeachstepofthework
B. Definingworkcoordinationlogicbyspecifyingworksequencing,timing,andfailureconditions
C. Executingyourworkflow
D. RegisteringactivitiesandworkflowwithAmazonSWF
18. CananAmazonSimpleNotificationService(AmazonSNS)topicberecreatedwithapreviouslyusedtopicname?
A. Yes.Thetopicnameshouldtypicallybeavailableafter24hoursaftertheprevioustopicwiththesamenamehasbeendeleted.
B. Yes.Thetopicnameshouldtypicallybeavailableafter1–3hoursaftertheprevioustopicwiththesamenamehasbeendeleted.
C. Yes.Thetopicnameshouldtypicallybeavailableafter30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.
D. Atthistime,thisfeatureisnotsupported.
19. WhatshouldyoudoinordertograntadifferentAWSaccountpermissiontoyourAmazonSimpleQueueService(AmazonSQS)queue?
A. SharecredentialstoyourAWSaccountandhavetheotheraccount’sapplicationsuseyouraccount’scredentialstoaccesstheAmazonSQSqueue.
B. CreateauserforthataccountinAWSIdentityandAccessManagement(IAM)andestablishanIAMpolicythatgrantsaccesstothequeue.
C. CreateanAmazonSQSpolicythatgrantstheotheraccountaccess.
D. AmazonVirtualPrivateCloud(AmazonVPC)peeringmustbeusedtoachievethis.
20. CananAmazonSimpleNotificationService(AmazonSNS)messagebedeletedafterbeingpublishedtoatopic?
A. Onlyifasubscriber(s)has/havenotreadthemessageyet
B. OnlyiftheAmazonSNSrecallmessageparameterhasbeenset
C. No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.
D. Yes.HoweveritcanbedeletedonlyifthesubscribersareAmazonSQSqueues.
Chapter9DomainNameSystem(DNS)andAmazonRoute53THEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Developingtoclientspecifications,includingpricing/cost(forexample,on-demandvs.reservedvs.spot;RTOandRPODRdesign)
Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)
Elasticityandscalability(forexample,auto-scaling,SQS,ELB,CloudFront)
Domain3.0:DataSecurity
3.1Recognizeandimplementsecureproceduresforoptimumclouddeploymentandmaintenance.
3.2Recognizecriticaldisaster-recoverytechniquesandtheirimplementation.
AmazonRoute53
DomainNameSystem(DNS)TheDomainNameSystem(DNS)issometimesadifficultconcepttounderstandbecauseitissoubiquitouslyusedinmakingtheInternetwork.Beforewegetintothedetails,let’sstartwithasimpleanalogy.TheInternetProtocol(IP)addressofyourwebsiteislikeyourphonenumber—itcouldchangeifyoumovetoanewarea(atleastyourlandlinecouldchange).DNSislikethephonebook.Ifsomeonewantstocallyouatyournewhouseorlocation,theymightlookyouupbynameinthephonebook.Iftheirphonebookhasn’tbeenupdatedsinceyoumoved,however,theymightcallyouroldhouse.Whenavisitorwantstoaccessyourwebsite,theircomputertakesthedomainnametypedin(www.amazon.com,forexample)andlooksuptheIPaddressforthatdomainusingDNS.
Morespecifically,DNSisaglobally-distributedservicethatisfoundationaltothewaypeopleusetheInternet.DNSusesahierarchicalnamestructure,anddifferentlevelsinthehierarchyareeachseparatedwithadot(.).Considerthedomainnameswww.amazon.comandaws.amazon.com.Inboththeseexamples,comistheTop-LevelDomain(TLD)andamazonistheSecond-LevelDomain(SLD).Therecanbeanynumberoflowerlevels(forexample,wwwandaws)belowtheSLD.
ComputersusetheDNShierarchytotranslatehumanreadablenames(forexample,www.amazon.com)intotheIPaddresses(forexample,192.0.2.1)thatcomputersusetoconnecttooneanother.Everytimeyouuseadomainname,aDNSservicemusttranslatethenameintothecorrespondingIPaddress.Insummary,ifyou’veusedtheInternet,you’veusedDNS.
AmazonRoute53isanauthoritativeDNSsystem.AnauthoritativeDNSsystemprovidesanupdatemechanismthatdevelopersusetomanagetheirpublicDNSnames.ItthenanswersDNSqueries,translatingdomainnamesintoIPaddressessothatcomputerscancommunicatewitheachother.
ThischapterisintendedtoprovideyouwithabaselineunderstandingofDNSandtheAmazonRoute53servicethatisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.
DomainNameSystem(DNS)ConceptsThissectionofthechapterdefinesDNSterms,describeshowDNSworks,andexplainscommonlyusedrecordtypes.
Top-LevelDomains(TLDs)ATop-LevelDomain(TLD)isthemostgeneralpartofthedomain.TheTLDisthefarthestportiontotheright(asseparatedbyadot).CommonTLDsare.com,.net,.org,.gov,.edu,and.io.
TLDsareatthetopofthehierarchyintermsofdomainnames.CertainpartiesaregivenmanagementcontroloverTLDsbytheInternetCorporationforAssignedNamesandNumbers(ICANN).ThesepartiescanthendistributedomainnamesundertheTLD,usuallythroughadomainregistrar.ThesedomainsareregisteredwiththeNetworkInformationCenter(InterNIC),aserviceofICANN,whichenforcestheuniquenessofdomainnames
acrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.
DomainNamesAdomainnameisthehuman-friendlynamethatweareusedtoassociatingwithanInternetresource.Forinstance,amazon.comisadomainname.Somepeoplewillsaythattheamazonportionisthedomain,butwecangenerallyrefertothecombinedformasthedomainname.
TheURLaws.amazon.comisassociatedwiththeserversownedbyAWS.TheDNSallowsuserstoreachtheAWSserverswhentheytypeaws.amazon.comintotheirbrowsers.
IPAddressesAnIPaddressisanetworkaddressablelocation.EachIPaddressmustbeuniquewithinitsnetwork.Forpublicwebsites,thisnetworkistheentireInternet.
IPv4addresses,themostcommonformofaddresses,consistoffoursetsofnumbersseparatedbyadot,witheachsethavinguptothreedigits.Forexample,111.222.111.222couldbeavalidIPv4IPaddress.WithDNS,wemapanametothataddresssothatyoudonothavetorememberacomplicatedsetofnumbersforeachplaceyouwanttovisitonanetwork.
DuetothetremendousgrowthoftheInternetandthenumberofdevicesconnectedtoit,theIPv4addressrangehasquicklybeendepleted.IPv6wascreatedtosolvethisdepletionissue,andithasanaddressspaceof128bits,whichallowsfor340,282,366,920,938,463,463,374,607,431,768,211,456,or340undecillion,uniqueaddresses.Forhumanbeings,thisnumberisdifficulttoimagine,soconsiderthis:IfeachIPv4addresswereonegrainofsand,youwouldhaveenoughaddressestofillapproximatelyonedumptruckwithsand.IfeachIPv6addresswereonegrainofsand,youwouldhaveenoughsandtoequaltheapproximatesizeofthesun.Today,mostdevicesandnetworksstillcommunicateusingIPv4,butmigrationtoIPv6isproceedinggraduallyovertime.
HostsWithinadomain,thedomainownercandefineindividualhosts,whichrefertoseparatecomputersorservicesaccessiblethroughadomain.Forinstance,mostdomainownersmaketheirwebserversaccessiblethroughthebasedomain(example.com)andalsothroughthehostdefinitionwww(asinwww.example.com).
Youcanhaveotherhostdefinitionsunderthegeneraldomain,suchasApplicationProgramInterface(API)accessthroughanAPIhost(api.example.com)orFileTransferProtocol(FTP)accesswithahostdefinitionofFTPorfiles(ftp.example.comorfiles.example.com).Thehostnamescanbearbitraryiftheyareuniqueforthedomain.
SubdomainsDNSworksinahierarchalmannerandallowsalargedomaintobepartitionedorextendedintomultiplesubdomains.TLDscanhavemanysubdomainsunderthem.Forinstance,zappos.comandaudible.comarebothsubdomainsofthe.comTLD(althoughtheyaretypicallyjustcalleddomains).ThezapposoraudibleportioncanbereferredtoasanSLD.
Likewise,eachSLDcanhavesubdomainslocatedunderit.Forinstance,theURLforthehistorydepartmentofaschoolcouldbewww.history.school.edu.Thehistoryportionisasubdomain.
Thedifferencebetweenahostnameandasubdomainisthatahostdefinesacomputerorresource,whileasubdomainextendstheparentdomain.Subdomainsareamethodofsubdividingthedomainitself.
Whethertalkingaboutsubdomainsorhosts,youcanseethattheleft-mostportionsofadomainarethemostspecific.ThisishowDNSworks:frommosttoleastspecificasyoureadfromlefttoright.
FullyQualifiedDomainName(FQDN)DomainlocationsinaDNScanberelativetooneanotherand,assuch,canbesomewhatambiguous.AFullyQualifiedDomainName(FQDN),alsoreferredtoasanabsolutedomainname,specifiesadomain’slocationinrelationtotheabsoluterootoftheDNS.
ThismeansthattheFQDNspecifieseachparentdomainincludingtheTLD.AproperFQDNendswithadot,indicatingtherootoftheDNShierarchy.Forexample,mail.amazon.comisanFQDN.Sometimes,softwarethatcallsforanFQDNdoesnotrequiretheendingdot,butitisrequiredtoconformtoICANNstandards.
InFigure9.1,youcanseethattheentirestringistheFQDN,whichiscomposedofthedomainname,subdomain,root,TLD,SLDandhost.
FIGURE9.1FQDNcomponents
NameServersAnameserverisacomputerdesignatedtotranslatedomainnamesintoIPaddresses.These
serversdomostoftheworkintheDNS.Becausethetotalnumberofdomaintranslationsistoomuchforanyoneserver,eachservermayredirectrequeststoothernameserversordelegateresponsibilityforthesubsetofsubdomainsforwhichtheyareresponsible.
Nameserverscanbeauthoritative,meaningthattheygiveanswerstoqueriesaboutdomainsundertheircontrol.Otherwise,theymaypointtootherserversorservecachedcopiesofothernameservers’data.
ZoneFilesAzonefileisasimpletextfilethatcontainsthemappingsbetweendomainnamesandIPaddresses.ThisishowaDNSserverfinallyidentifieswhichIPaddressshouldbecontactedwhenauserrequestsacertaindomainname.
Zonefilesresideinnameserversandgenerallydefinetheresourcesavailableunderaspecificdomain,ortheplacewhereonecangotogetthatinformation.
Top-LevelDomain(TLD)NameRegistrarsBecauseallofthenamesinagivendomainmustbeunique,thereneedstobeawaytoorganizethemsothatdomainnamesaren’tduplicated.Thisiswheredomainnameregistrarscomein.AdomainnameregistrarisanorganizationorcommercialentitythatmanagesthereservationofInternetdomainnames.AdomainnameregistrarmustbeaccreditedbyagenericTLD(gTLD)registryand/oracountrycodeTLD(ccTLD)registry.Themanagementisdoneinaccordancewiththeguidelinesofthedesignateddomainnameregistries.
StepsInvolvedinDomainNameSystem(DNS)ResolutionWhenyoutypeadomainnameintoyourbrowser,yourcomputerfirstchecksitshostfiletoseeifithasthatdomainnamestoredlocally.Ifitdoesnot,itwillcheckitsDNScachetoseeifyouhavevisitedthesitebefore.Ifitstilldoesnothavearecordofthatdomainname,itwillcontactaDNSservertoresolvethedomainname.
DNSis,atitscore,ahierarchicalsystem.Atthetopofthissystemarerootservers.ICANNdelegatesthecontroloftheseserverstovariousorganizations.
Asofthiswriting,thereare13rootserversinoperation.RootservershandlerequestsforinformationaboutTLDs.Whenarequestcomesinforadomainthatalower-levelnameservercannotresolve,aqueryismadetotherootserverforthedomain.
Inordertohandletheincrediblevolumeofresolutionsthathappeneveryday,theserootserversaremirroredandreplicated.Whenrequestsaremadetoacertainrootserver,therequestwillberoutedtothenearestmirrorofthatrootserver.
Therootserverswon’tactuallyknowwherethedomainishosted.Theywill,however,beabletodirecttherequestertothenameserversthathandlethespecifically-requestedTLD.
Forexample,ifarequestforwww.wikipedia.orgismadetotherootserver,itwillcheckitszonefilesforalistingthatmatchesthatdomainname,butitwillnotfindoneinitsrecords.Itwillinsteadfindarecordforthe.orgTLDandgivetherequestingentitytheaddressofthenameserverresponsiblefor.orgaddresses.
Top-LevelDomain(TLD)ServersAfterarootserverreturnstheIPaddressoftheappropriateserverthatisresponsiblefortheTLDofarequest,therequesterthensendsanewrequesttothataddress.
Tocontinuetheexamplefromtheprevioussection,therequestingentitywouldsendarequesttothenameserverresponsibleforknowingabout.orgdomainstoseeifitcanlocatewww.wikipedia.org.
Onceagain,whenthenameserversearchesitszonefilesforawww.wikipedia.orglisting,itwillnotfindoneinitsrecords.However,itwillfindalistingfortheIPaddressofthenameserverresponsibleforwikipedia.org.ThisisgettingmuchclosertothecorrectIPaddress.
Domain-LevelNameServersAtthispoint,therequesterhastheIPaddressofthenameserverthatisresponsibleforknowingtheactualIPaddressoftheresource.Itsendsanewrequesttothenameserverasking,onceagain,ifitcanresolvewww.wikipedia.org.
Thenameserverchecksitszonefiles,anditfindsazonefileassociatedwithwikipedia.org.Insideofthisfile,thereisarecordthatcontainstheIPaddressforthe.wwwhost.Thenameserverreturnsthefinaladdresstotherequester.
ResolvingNameServersInthepreviousscenario,wereferredtoarequester.Whatistherequesterinthissituation?
Inalmostallcases,therequesterwillbewhatiscalledaresolvingnameserver,whichisaserverthatisconfiguredtoaskotherserversquestions.Itsprimaryfunctionistoactasanintermediaryforauser,cachingpreviousqueryresultstoimprovespeedandprovidingtheaddressesofappropriaterootserverstoresolvenewrequests.
Auserwillusuallyhaveafewresolvingnameserversconfiguredontheircomputersystem.TheresolvingnameserversaretypicallyprovidedbyanInternetServiceProvider(ISP)orotherorganization.ThereareseveralpublicresolvingDNSserversthatyoucanquery.Thesecanbeconfiguredinyourcomputereitherautomaticallyormanually.
WhenyoutypeaURLintheaddressbarofyourbrowser,yourcomputerfirstlookstoseeifitcanfindtheresource’slocationlocally.Itchecksthehostfileonthecomputerandanylocallystoredcache.ItthensendstherequesttotheresolvingnameserverandwaitstoreceivetheIPaddressoftheresource.
Theresolvingnameserverthenchecksitscachefortheanswer.Ifitdoesn’tfindit,itgoesthroughthestepsoutlinedintheprevioussections.
Resolvingnameserverscompresstherequestingprocessfortheenduser.Theclientssimplyhavetoknowtoasktheresolvingnameserverswherearesourceislocated,andtheresolvingnameserverswilldotheworktoinvestigateandreturnthefinalanswer.
MoreAboutZoneFilesZonefilesarethewaythatnameserversstoreinformationaboutthedomainstheyknow.Themorezonefilesthatanameserverhas,themorerequestsitwillbeabletoanswerauthoritatively.Mostrequeststotheaveragenameserver,however,arefordomainsthatare
notinthelocalzonefile.
Iftheserverisconfiguredtohandlerecursivequeries,likearesolvingnameserver,itwillfindtheanswerandreturnit.Otherwise,itwilltelltherequestingentitywheretolooknext.
AzonefiledescribesaDNSzone,whichisasubsetoftheentireDNS.Zonefilesaregenerallyusedtoconfigureasingledomain,andtheycancontainanumberofrecordsthatdefinewhereresourcesareforthedomaininquestion.
Thezonefile’s$ORIGINdirectiveisaparameterequaltothezone’shighestlevelofauthoritybydefault.Ifazonefileisusedtoconfiguretheexample.comdomain,the$ORIGINwouldbesettoexample.com.
ThisparameteriseitherconfiguredatthetopofthezonefileordefinedintheDNSserver’sconfigurationfilethatreferencesthezonefile.Eitherway,thisparameterdefineswhatauthoritativerecordsthezonegoverns.
Similarly,the$TTLdirectiveconfiguresthedefaultTimetoLive(TTL)valueforresourcerecordsinthezone.Thisvaluedefinesthelengthoftimethatpreviouslyqueriedresultsareavailabletoacachingnameserverbeforetheyexpire.
RecordTypesEachzonefilecontainsrecords.Initssimplestform,arecordisasinglemappingbetweenaresourceandaname.ThesecanmapadomainnametoanIPaddressordefineresourcesforthedomain,suchasnameserversormailservers.Thissectiondescribeseachrecordtypeindetail.
StartofAuthority(SOA)RecordAStartofAuthority(SOA)recordismandatoryinallzonefiles,anditidentifiesthebaseDNSinformationaboutthedomain.EachzonecontainsasingleSOArecord.
TheSOArecordstoresinformationaboutthefollowing:
ThenameoftheDNSserverforthatzone
Theadministratorofthezone
Thecurrentversionofthedatafile
Thenumberofsecondsthatasecondarynameservershouldwaitbeforecheckingforupdates
Thenumberofsecondsthatasecondarynameservershouldwaitbeforeretryingafailedzonetransfer
Themaximumnumberofsecondsthatasecondarynameservercanusedatabeforeitmusteitherberefreshedorexpire
ThedefaultTTLvalue(inseconds)forresourcerecordsinthezone
AandAAAABothtypesofaddressrecordsmapahosttoanIPaddress.TheArecordisusedtomapahosttoanIPv4IPaddress,whileAAAArecordsareusedtomapahosttoanIPv6address.
CanonicalName(CNAME)ACanonicalName(CNAME)recordisatypeofresourcerecordintheDNSthatdefinesanaliasfortheCNAMEforyourserver(thedomainnamedefinedinanAorAAAArecord).
MailExchange(MX)MailExchange(MX)recordsareusedtodefinethemailserversusedforadomainandensurethatemailmessagesareroutedcorrectly.TheMXrecordshouldpointtoahostdefinedbyanAorAAAArecordandnotonedefinedbyaCNAME.
NameServer(NS)NameServer(NS)recordsareusedbyTLDserverstodirecttraffictotheDNSserverthatcontainstheauthoritativeDNSrecords.
Pointer(PTR)APointer(PTR)recordisessentiallythereverseofanArecord.PTRrecordsmapanIPaddresstoaDNSname,andtheyaremainlyusedtocheckiftheservernameisassociatedwiththeIPaddressfromwheretheconnectionwasinitiated.
SenderPolicyFramework(SPF)SenderPolicyFramework(SPF)recordsareusedbymailserverstocombatspam.AnSPFrecordtellsamailserverwhatIPaddressesareauthorizedtosendanemailfromyourdomainname.Forexample,ifyouwantedtoensurethatonlyyourmailserversendsemailsfromyourcompany’sdomain,suchasexample.com,youwouldcreateanSPFrecordwiththeIPaddressofyourmailserver.Thatway,anemailsentfromyourdomain,[email protected],wouldneedtohaveanoriginatingIPaddressofyourcompanymailserverinordertobeaccepted.Thispreventspeoplefromspoofingemailsfromyourdomainname.
Text(TXT)Text(TXT)recordsareusedtoholdtextinformation.Thisrecordprovidestheabilitytoassociatesomearbitraryandunformattedtextwithahostorothername,suchashumanreadableinformationaboutaserver,network,datacenter,andotheraccountinginformation.
Service(SRV)AService(SRV)recordisaspecificationofdataintheDNSdefiningthelocation(thehostnameandportnumber)ofserversforspecifiedservices.TheideabehindSRVisthat,givenadomainname(forexample,example.com)andaservicename(forexample,web[HTTP],whichrunsonaprotocol[TCP]),aDNSquerymaybeissuedtofindthehostnamethatprovidessuchaserviceforthedomain,whichmayormaynotbewithinthedomain.
AmazonRoute53OverviewNowthatyouhaveafoundationalunderstandingofDNSandthedifferentDNSrecordtypes,youcanexploreAmazonRoute53.AmazonRoute53isahighlyavailableandscalablecloudDNSwebservicethatisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplications.
AmazonRoute53performsthreemainfunctions:
Domainregistration—AmazonRoute53letsyouregisterdomainnames,suchasexample.com.
DNSservice—AmazonRoute53translatesfriendlydomainnameslikewww.example.comintoIPaddresseslike192.0.2.1.AmazonRoute53respondstoDNSqueriesusingaglobalnetworkofauthoritativeDNSservers,whichreduceslatency.TocomplywithDNSstandards,responsessentoverUserDatagramProtocol(UDP)arelimitedto512bytesinsize.Responsesexceeding512bytesaretruncated,andtheresolvermustre-issuetherequestoverTCP.
Healthchecking—AmazonRoute53sendsautomatedrequestsovertheInternettoyourapplicationtoverifythatit’sreachable,available,andfunctional.
Youcanuseanycombinationofthesefunctions.Forexample,youcanuseAmazonRoute53asbothyourregistrarandyourDNSservice,oryoucanuseAmazonRoute53astheDNSserviceforadomainthatyouregisteredwithanotherdomainregistrar.
DomainRegistrationIfyouwanttocreateawebsite,youfirstneedtoregisterthedomainname.Ifyoualreadyregisteredadomainnamewithanotherregistrar,youhavetheoptiontotransferthedomainregistrationtoAmazonRoute53.Itisn’trequiredtouseAmazonRoute53asyourDNSserviceortoconfigurehealthcheckingforyourresources.
AmazonRoute53supportsdomainregistrationforawidevarietyofgenericTLDs(forexample,.comand.org)andgeographicTLDs(forexample,.beand.us).ForacompletelistofsupportedTLDs,refertotheAmazonRoute53DeveloperGuideathttps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/.
DomainNameSystem(DNS)ServiceAsstatedpreviously,AmazonRoute53isanauthoritativeDNSservicethatroutesInternettraffictoyourwebsitebytranslatingfriendlydomainnamesintoIPaddresses.Whensomeoneentersyourdomainnameinabrowserorsendsyouanemail,aDNSrequestisforwardedtothenearestAmazonRoute53DNSserverinaglobalnetworkofauthoritativeDNSservers.AmazonRoute53respondswiththeIPaddressthatyouspecified.
IfyouregisteranewdomainnamewithAmazonRoute53,AmazonRoute53willbeautomaticallyconfiguredastheDNSserviceforthedomain,andahostedzonewillbecreatedforyourdomain.Youaddresourcerecordsetstothehostedzone,whichdefinehowyouwantAmazonRoute53torespondtoDNSqueriesforyourdomain(forexample,withtheIPaddressforawebserver,theIPaddressforthenearestAmazonCloudFrontedgelocation,or
theIPaddressforanElasticLoadBalancingloadbalancer).
Ifyouregisteredyourdomainwithanotherdomainregistrar,thatregistrarisprobablyprovidingtheDNSserviceforyourdomain.YoucantransferDNSservicetoAmazonRoute53,withorwithouttransferringregistrationforthedomain.
Ifyou’reusingAmazonCloudFront,AmazonSimpleStorageService(AmazonS3),orElasticLoadBalancing,youcanconfigureAmazonRoute53torouteInternettraffictothoseresources.
HostedZonesAhostedzoneisacollectionofresourcerecordsetshostedbyAmazonRoute53.LikeatraditionalDNSzonefile,ahostedzonerepresentsresourcerecordsetsthataremanagedtogetherunderasingledomainname.Eachhostedzonehasitsownmetadataandconfigurationinformation.
Therearetwotypesofhostedzones:privateandpublic.AprivatehostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficforadomainanditssubdomainswithinoneormoreAmazonVirtualPrivateClouds(AmazonVPCs).ApublichostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficontheInternetforadomain(forexample,example.com)anditssubdomains(forexample,apex.example.comandacme.example.com).
Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.Forexample,theexample.comhostedzonecancontainresourcerecordsetsforthewww.example.comandwww.aws.example.comsubdomains,butitcannotcontainresourcerecordsetsforawww.example.casubdomain.
YoucanuseAmazonS3tohostyourstaticwebsiteatthehostedzone(forexample,domain.com)andredirectallrequeststoasubdomain(forexample,www.domain.com).Then,inAmazonRoute53,youcancreateanaliasresourcerecordthatsendsrequestsfortherootdomaintotheAmazonS3bucket.
Useanaliasrecord,notaCNAME,foryourhostedzone.CNAMEsarenotallowedforhostedzonesinAmazonRoute53.
DonotuseArecordsforsubdomains(forexample,www.domain.com),astheyrefertohardcodedIPaddresses.Instead,useAmazonRoute53aliasrecordsortraditionalCNAMErecordstoalwayspointtotherightresource,whereveryoursiteishosted,evenwhenthephysicalserverhaschangeditsIPaddress.
SupportedRecordTypesAmazonRoute53supportsthefollowingDNSresourcerecordtypes.WhenyouaccessAmazonRoute53usingtheAPI,youwillseeexamplesofhowtoformattheValueelementforeachrecordtype.Supportedrecordtypesinclude:
A
AAAA
CNAME
MX
NS
PTR
SOA
SPF
SRV
TXT
RoutingPolicies
Whenyoucreatearesourcerecordset,youchoosearoutingpolicy,whichdetermineshowAmazonRoute53respondstoqueries.Routingpolicyoptionsaresimple,weighted,latency-based,failover,andgeolocation.Whenspecified,AmazonRoute53evaluatesaresource’srelativeweight,theclient’snetworklatencytotheresource,ortheclient’sgeographicallocationwhendecidingwhichresourcetosendbackinaDNSresponse.
Routingpoliciescanbeassociatedwithhealthchecks,soresourcehealthstatusisconsideredbeforeitevenbecomesacandidateinaconditionaldecisiontree.Adescriptionofpossibleroutingpoliciesandmoreonhealthcheckingiscoveredinthissection.
SimpleThisisthedefaultroutingpolicywhenyoucreateanewresource.Useasimpleroutingpolicywhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain(forexample,onewebserverthatservescontentfortheexample.comwebsite).Inthiscase,AmazonRoute53respondstoDNSqueriesbasedonlyonthevaluesintheresourcerecordset(forexample,theIPaddressinanArecord).
WeightedWithweightedDNS,youcanassociatemultipleresources(suchasAmazonElasticComputeCloud[AmazonEC2]instancesorElasticLoadBalancingloadbalancers)withasingleDNSname.
Usetheweightedroutingpolicywhenyouhavemultipleresourcesthatperformthesamefunction(suchaswebserversthatservethesamewebsite),andyouwantAmazonRoute53toroutetraffictothoseresourcesinproportionsthatyouspecify.Forexample,youmayusethisforloadbalancingbetweendifferentAWSregionsortotestnewversionsofyourwebsite
(youcansend10percentoftraffictothetestenvironmentand90percentoftraffictotheolderversionofyourwebsite).
Tocreateagroupofweightedresourcerecordsets,youneedtocreatetwoormoreresourcerecordsetsthathavethesameDNSnameandtype.Youthenassigneachresourcerecordsetauniqueidentifierandarelativeweight.
WhenprocessingaDNSquery,AmazonRoute53searchesforaresourcerecordsetoragroupofresourcerecordsetsthathavethesamenameandDNSrecordtype(suchasanArecord).AmazonRoute53thenselectsonerecordfromthegroup.Theprobabilityofanyresourcerecordsetbeingselectedisgovernedbythefollowingformula:
Latency-BasedLatency-basedroutingallowsyoutorouteyourtrafficbasedonthelowestnetworklatencyforyourenduser(forexample,usingtheAWSregionthatwillgivethemthefastestresponsetime).
UsethelatencyroutingpolicywhenyouhaveresourcesthatperformthesamefunctioninmultipleAWSAvailabilityZonesorregionsandyouwantAmazonRoute53torespondtoDNSqueriesusingtheresourcesthatprovidethebestlatency.Forexample,supposeyouhaveElasticLoadBalancingloadbalancersintheU.S.West(Oregon)regionandintheAsiaPacific(Singapore)region,andyoucreatedalatencyresourcerecordsetinAmazonRoute53foreachloadbalancer.AuserinLondonentersthenameofyourdomaininabrowser,andDNSroutestherequesttoanAmazonRoute53nameserver.AmazonRoute53referstoitsdataonlatencybetweenLondonandtheSingaporeregionandbetweenLondonandtheOregonregion.IflatencyislowerbetweenLondonandtheOregonregion,AmazonRoute53respondstotheuser’srequestwiththeIPaddressofyourloadbalancerinOregon.IflatencyislowerbetweenLondonandtheSingaporeregion,AmazonRoute53respondswiththeIPaddressofyourloadbalancerinSingapore.
FailoverUseafailoverroutingpolicytoconfigureactive-passivefailover,inwhichoneresourcetakesallthetrafficwhenit’savailableandtheotherresourcetakesallthetrafficwhenthefirstresourceisn’tavailable.Notethatyoucan’tcreatefailoverresourcerecordsetsforprivatehostedzones.
Forexample,youmightwantyourprimaryresourcerecordsettobeinU.S.West(N.California)andyoursecondary,DisasterRecovery(DR),resource(s)tobeinU.S.East(N.Virginia).AmazonRoute53willmonitorthehealthofyourprimaryresourceendpointsusingahealthcheck.
AhealthchecktellsAmazonRoute53howtosendrequeststotheendpointwhosehealthyouwanttocheck:whichprotocoltouse(HTTP,HTTPS,orTCP),whichIPaddressandporttouse,and,forHTTP/HTTPShealthchecks,adomainnameandpath.
Afteryouhaveconfiguredahealthcheck,AmazonwillmonitorthehealthofyourselectedDNSendpoint.Ifyourhealthcheckfails,thenfailoverroutingpolicieswillbeappliedandyourDNSwillfailovertoyourDRsite.
GeolocationGeolocationroutingletsyouchoosewhereAmazonRoute53willsendyourtrafficbasedonthegeographiclocationofyourusers(thelocationfromwhichDNSqueriesoriginate).Forexample,youmightwantallqueriesfromEuropetoberoutedtoafleetofAmazonEC2instancesthatarespecificallyconfiguredforyourEuropeancustomers,withlocallanguagesandpricinginEuros.
Youcanalsousegeolocationroutingtorestrictdistributionofcontenttoonlythelocationsinwhichyouhavedistributionrights.Anotherpossibleuseisforbalancingloadacrossendpointsinapredictable,easy-to-managewaysothateachuserlocationisconsistentlyroutedtothesameendpoint.
Youcanspecifygeographiclocationsbycontinent,bycountry,orevenbystateintheUnitedStates.Youcanalsocreateseparateresourcerecordsetsforoverlappinggeographicregions,andprioritygoestothesmallestgeographicregion.Forexample,youmighthaveoneresourcerecordsetforEuropeandonefortheUnitedKingdom.Thisallowsyoutoroutesomequeriesforselectedcountries(inthisexample,theUnitedKingdom)tooneresourceandtoroutequeriesfortherestofthecontinent(inthisexample,Europe)toadifferentresource.
GeolocationworksbymappingIPaddressestolocations.Youshouldbecautious,however,assomeIPaddressesaren’tmappedtogeographiclocations.Evenifyoucreategeolocationresourcerecordsetsthatcoverallsevencontinents,AmazonRoute53willreceivesomeDNSqueriesfromlocationsthatitcan’tidentify.
Inthiscase,youcancreateadefaultresourcerecordsetthathandlesbothqueriesfromIPaddressesthataren’tmappedtoanylocationandqueriesthatcomefromlocationsforwhichyouhaven’tcreatedgeolocationresourcerecordsets.Ifyoudon’tcreateadefaultresourcerecordset,AmazonRoute53returnsa“noanswer”responseforqueriesfromthoselocations.
Youcannotcreatetwogeolocationresourcerecordsetsthatspecifythesamegeographiclocation.Youalsocannotcreategeolocationresourcerecordsetsthathavethesamevaluesfor“Name”and“Type”asthe“Name”and“Type”ofnon-geolocationresourcerecordsets.
MoreonHealthCheckingAmazonRoute53healthchecksmonitorthehealthofyourresourcessuchaswebserversandemailservers.YoucanconfigureAmazonCloudWatchalarmsforyourhealthcheckssothatyoureceivenotificationwhenaresourcebecomesunavailable.YoucanalsoconfigureAmazonRoute53torouteInternettrafficawayfromresourcesthatareunavailable.
HealthchecksandDNSfailoveraremajortoolsintheAmazonRoute53featuresetthathelpmakeyourapplicationhighlyavailableandresilienttofailures.IfyoudeployanapplicationinmultipleAvailabilityZonesandmultipleAWSregions,withAmazonRoute53healthchecksattachedtoeveryendpoint,AmazonRoute53cansendbackalistofhealthyendpointsonly.Healthcheckscanautomaticallyswitchtoahealthyendpointwithminimal
disruptiontoyourclientsandwithoutanyconfigurationchanges.Youcanusethisautomaticrecoveryscenarioinactive-activeoractive-passivesetups,dependingonwhetheryouradditionalendpointsarealwayshitbylivetrafficoronlyafterallprimaryendpointshavefailed.Usinghealthchecksandautomaticfailovers,AmazonRoute53improvesyourserviceuptime,especiallywhencomparedtothetraditionalmonitor-alert-restartapproachofaddressingfailures.
AmazonRoute53healthchecksarenottriggeredbyDNSqueries;theyarerunperiodicallybyAWS,andresultsarepublishedtoallDNSservers.Thisway,nameserverscanbeawareofanunhealthyendpointandroutedifferentlywithinapproximately30secondsofaproblem(afterthreefailedtestsinarow),andnewDNSresultswillbeknowntoclientsaminutelater(assumingyourTTLis60seconds),bringingcompleterecoverytimetoaboutaminuteandahalfintotalinthisscenario.
The2014AWSre:InventsessionSDD408,“AmazonRoute53DeepDive:DeliveringResiliency,MinimizingLatency,”introducedasetofbestpracticesforAmazonRoute53.ExplorethosebestpracticestohelpyougetstartedusingAmazonRoute53asabuildingblocktodeliverhighly-availableandresilientapplicationsonAWS.
AmazonRoute53EnablesResiliencyWhenpullingtheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures,considerthesebuildingblocks:
IneveryAWSregion,anElasticLoadBalancingloadbalancerissetupwithcross-zoneloadbalancingandconnectiondraining.ThisdistributestheloadevenlyacrossallinstancesinallAvailabilityZones,anditensuresrequestsinflightarefullyservedbeforeanAmazonEC2instanceisdisconnectedfromanElasticLoadBalancingloadbalancerforanyreason.
EachElasticLoadBalancingloadbalancerdelegatesrequeststoAmazonEC2instancesrunninginmultipleAvailabilityZonesinanauto-scalinggroup.ThisprotectstheapplicationfromAvailabilityZoneoutages,ensuresthataminimalamountofinstancesisalwaysrunning,andrespondstochangesinloadbyproperlyscalingeachgroup’sAmazonEC2instances.
EachElasticLoadBalancingloadbalancerhashealthchecksdefinedtoensurethatitdelegatesrequestsonlytohealthyinstances.
EachElasticLoadBalancingloadbalanceralsohasanAmazonRoute53healthcheckassociatedwithittoensurethatrequestsareroutedonlytoloadbalancersthathavehealthyAmazonEC2instances.
Theapplication’sproductionenvironment(forexample,prod.domain.com)hasAmazonRoute53aliasrecordsthatpointtoElasticLoadBalancingloadbalancers.Theproductionenvironmentalsousesalatency-basedroutingpolicythatisassociatedwithElasticLoadBalancinghealthchecks.Thisensuresthatrequestsareroutedtoahealthyloadbalancer,therebyprovidingminimallatencytoaclient.
Theapplication’sfailoverenvironment(forexample,fail.domain.com)hasanAmazonRoute53aliasrecordthatpointstoanAmazonCloudFrontdistributionofanAmazonS3buckethostingastaticversionoftheapplication.
Theapplication’ssubdomain(forexample,www.domain.com)hasanAmazonRoute53aliasrecordthatpointstoprod.domain.com(asprimarytarget)andfail.domain.com(assecondarytarget)usingafailoverroutingpolicy.Thisensureswww.domain.comroutestotheproductionloadbalancersifatleastoneofthemishealthyorthe“failwhale”ifallofthemappeartobeunhealthy.
Theapplication’shostedzone(forexample,domain.com)hasanAmazonRoute53aliasrecordthatredirectsrequeststowww.domain.comusinganAmazonS3bucketofthesamename.
Applicationcontent(bothstaticanddynamic)canbeservedusingAmazonCloudFront.ThisensuresthatthecontentisdeliveredtoclientsfromAmazonCloudFrontedgelocationsspreadallovertheworldtoprovideminimallatency.ServingdynamiccontentfromaContentDeliveryNetwork(CDN),whereitiscachedforshortperiodsoftime(thatis,severalseconds),takestheloadoffoftheapplicationandfurtherimprovesitslatencyandresponsiveness.
TheapplicationisdeployedinmultipleAWSregions,protectingitfromaregionaloutage.
SummaryInthischapter,youlearnedthefundamentalsofDNS,whichisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).
DNSstartswithTLDs(forexample,.com,.edu).TheInternetAssignedNumbersAuthority(IANA)controlstheTLDsinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.
DNSnamesareregisteredwithadomainregistrar.AregistrarisanauthoritythatcanassigndomainnamesdirectlyunderoneormoreTLDs.ThesedomainsareregisteredwithInterNIC,aserviceofICANN,whichenforcestheuniquenessofdomainnamesacrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.
DNSconsistsofanumberofdifferentrecordtypes,includingbutnotlimitedtothefollowing:
A
AAAA
CNAME
MX
NS
PTR
SOA
SPF
TXT
AmazonRoute53isahighlyavailableandhighlyscalableAWS-providedDNSservice.AmazonRoute53connectsuserrequeststoinfrastructurerunningonAWS(forexample,AmazonEC2instancesandElasticLoadBalancingloadbalancers).ItcanalsobeusedtorouteuserstoinfrastructureoutsideofAWS.
WithAmazonRoute53,yourDNSrecordsareorganizedintohostedzonesthatyouconfigurewiththeAmazonRoute53API.Ahostedzonesimplystoresrecordsforyourdomain.TheserecordscanconsistofA,CNAME,MX,andothersupportedrecordtypes.
AmazonRoute53allowsyoutohaveseveraldifferentroutingpolicies,includingthefollowing:
Simple—Mostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain
Weighted—Usedwhenyouwanttorouteapercentageofyourtraffictooneparticularresourceorresources
Latency-Based—Usedtorouteyourtrafficbasedonthelowestlatencysothatyour
usersgetthefastestresponsetimes
Failover—UsedforDRandtorouteyourtrafficfromyourresourcesinaprimarylocationtoastandbylocation
Geolocation—Usedtorouteyourtrafficbasedonyourenduser’slocation
Remembertopulltheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures.UseElasticLoadBalancingloadbalancersacrossAvailabilityZoneswithconnectiondrainingenabled,usehealthchecksdefinedtoensurethattheapplicationdelegatesrequestsonlytohealthyAmazonEC2instances,andusealatency-basedroutingpolicywithElasticLoadBalancinghealthcheckstoensurerequestsareroutedwithminimallatencytoclients.UseAmazonCloudFrontedgelocationstospreadcontentallovertheworldwithminimalclientlatency.DeploytheapplicationinmultipleAWSregions,protectingitfromaregionaloutage.
ExamEssentialsUnderstandwhatDNSis.DNSisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).
KnowhowDNSregistrationworks.DomainsareregisteredwithdomainregistrarsthatinturnregisterthedomainnamewithInterNIC,aserviceofICANN.ICANNenforcesuniquenessofdomainnamesacrosstheInternet.EachdomainnamebecomesregisteredinacentraldatabaseknownastheWhoISdatabase.DomainsaredefinedbytheirTLDs.TLDsarecontrolledbyIANAinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.
RememberthestepsinvolvedinDNSresolution.YourbrowseraskstheresolvingDNSserverwhattheIPaddressisforamazon.com.Theresolvingserverdoesnotknowtheaddress,soitasksarootserverthesamequestion.Thereare13rootserversaroundtheworld,andthesearemanagedbyICANN.Therootserverrepliesthatitdoesnotknowtheanswertothis,butitcangiveanaddresstoaTLDserverthatknowsabout.comdomainnames.TheresolvingserverthencontactstheTLDserver.TheTLDserverdoesnotknowtheaddressofthedomainnameeither,butitdoesknowtheaddressoftheresolvingnameserver.Theresolvingserverthenqueriestheresolvingnameserver.Theresolvingnameservercontainstheauthoritativerecordsandsendsthesetotheresolvingserver,whichthensavestheserecordslocallysoitdoesnothavetoperformthesestepsagaininthenearfuture.Theresolvingnameserverreturnsthisinformationtotheuser’swebbrowser,whichalsocachestheinformation.
Rememberthedifferentrecordtypes.DNSconsistsofthefollowingdifferentrecordtypes:A(addressrecord),AAAA(IPv6addressrecord),CNAME(canonicalnamerecordoralias),MX(mailexchangerecord),NS(nameserverrecord),PTR(pointerrecord),SOA(startofauthorityrecord),SPF(senderpolicyframework),SRV(servicelocator),andTXT(textrecord).Youshouldknowthedifferencesamongeachrecordtype.
Rememberthedifferentroutingpolicies.WithAmazonRoute53,youcanhavedifferentroutingpolicies.Thesimpleroutingpolicyismostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain.Weightedroutingisusedwhenyouwanttorouteapercentageofyourtraffictoaparticularresourceorresources.Latency-basedroutingisusedtorouteyourtrafficbasedonthelowestlatencysothatyourusersgetthefastestresponsetimes.FailoverroutingisusedforDRandtorouteyourtrafficfromaprimaryresourcetoastandbyresource.Geolocationroutingisusedtorouteyourtrafficbasedonyourenduser’slocation.
ExercisesInthissection,youexplorethedifferenttypesofDNSroutingpoliciesthatyoucancreateusingAWS.Forspecificstep-by-stepinstructions,refertotheAmazonRoute53informationanddocumentationathttp://aws.amazon.com/route53/.Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnotAWSFreeTiereligible.HostingazoneonAmazonRoute53shouldcostyouaminimalamountpermonthperhostedzone,andadditionalchargeswillbelevieddependingontheroutingpolicyyouuse.ForcurrentinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.
EXERCISE9.1
CreateaNewZone1. LogintotheAWSManagementConsole.
2. NavigatetoAmazonRoute53,andcreateahostedzone.
3. Enteryourdomainname,andcreateyournewzonefile.
4. Inthenewzonefile,youwillseetheSOArecordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsite,andupdatethenameserverswithyourAWSnameservers.
5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.
YouhavenowcreatedyourfirstAmazonRoute53zone.
EXERCISE9.2
CreateTwoWebServersinTwoDifferentRegionsInthisexercise,youwillcreatetwonewAmazonEC2webserversindifferentAWSregions.YouwillusetheseinthefollowingexerciseswhensettingupAmazonRoute53toaccessthewebservers.
CreateanAmazonEC2Instance1. LogintotheAWSManagementConsole.
2. ChangeyourregiontoAsiaPacific(Sydney).
3. IntheComputesection,loadtheAmazonEC2dashboard.Launchaninstance,andselectthefirstAmazonLinuxAmazonMachineImage(AMI).
4. Selecttheinstancetype,andconfigureyourinstancedetails.Takeacloselookatthedifferentoptionsavailabletoyou,andchangeyourinstance’sstoragedevicesettingsasnecessary.
5. NametheinstanceSydney,andaddasecuritygroupthatallowsHTTP.
6. LaunchyournewAmazonEC2instance,andverifythatithaslaunchedproperly.
ConnecttoYourAmazonEC2Instance7. NavigatetotheAmazonEC2instanceintheAWSManagementConsole,andcopy
thepublicIPaddresstoyourclipboard.
8. UsingaSecureShell(SSH)clientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.
9. Whenpromptedabouttheauthenticityofthehost,typeYes,andcontinue.
10. YoushouldnowbeconnectedtoyourAmazonEC2instance.Elevateyourprivilegestorootbytyping#sudosu.
11. Whileyou’reloggedinastherootusertoyourAmazonEC2instance,runthefollowingcommandtoinstallApachehttpd:
#yuminstallhttpd-y
12. Aftertheinstallationhascompleted,runthecommand#servicehttpdstartfollowedby#chkconfighttpdon.
13. NavigatetotheEC2instance,andtype:cd/var/www/html
14. Type#nanoindex.htmlandpressEnter.
15. InNano,typeThisistheSydneyServerandthenpressCtrl+X.
16. TypeYtoconfirmthatyouwanttosavethechanges,andthenpressEnter.
17. Type#ls.Youshouldnowseeyournewlycreatedindex.htmlfile.
18. Inyourbrowser,navigatetohttp://yourpublicipaddress/index.html.
Youshouldnowseeyour“ThisistheSydneyServer”homepage.Ifyoudonotseethis,checkyoursecuritygrouptomakesureyouallowedaccessforport80.
CreateanElasticLoadBalancingLoadBalancer19. ReturntotheAWSManagementConsole,andnavigatetotheAmazonEC2
dashboard.
20. CreatealoadbalancernamedSydney,leavingthesettingsattheirdefaultvalues.
21. Createyoursecuritygroup,andallowalltrafficinonport80.
22. Configurehealthcheck,leavingthesettingsattheirdefaultvalues.
23. Selectyournewlyaddedinstance.Addtagshereifyouwanttotagyourinstances.
24. ClickCreatetoprovisionyourloadbalancer.
CreateTheseResourcesinaSecondRegion25. ReturntotheAWSManagementConsole,andchangeyourregiontoSouthAmerica
(SaoPaulo).
26. RepeatthethreeproceduresinthissectiontoaddasecondAmazonEC2instanceandaloadbalancerinthisnewregion.
YouhavenowcreatedtwowebserversindifferentregionsoftheworldandplacedtheseregionsbehindElasticLoadBalancingloadbalancers.
EXERCISE9.3
CreateanAliasARecordwithaSimpleRoutingPolicy1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Selectyournewly-createdzonedomainname,andcreatearecordsetwiththenameA−IPv4Address
3. Createanalias,leavingyourroutingpolicysettoSimple.
4. Inyourwebbrowser,navigatetoyourdomainname.YoushouldnowseeawelcomescreenfortheSydneyregion.Ifyoudonotseethis,checkthatyourAmazonEC2instanceisattachedtoyourloadbalancerandthattheinstanceisinservice.Iftheinstanceisnotinservice,thismeansthatitisfailingitshealthcheck.CheckthatApacheHTTPServer(HTTPD)isrunningandthatyourindex.htmldocumentisaccessible.
YouhavenowcreatedyourfirstAliasArecordforthezoneapexusingthesimpleroutingpolicy.
EXERCISE9.4
CreateaWeightedRoutingPolicy1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Navigatetohostedzones,andselectyournewly-createdzonedomainname.
3. Createarecordsetwithtypesettodeveloper.Thiswillcreateasubdomainofdeveloper.yourdomainname.com.
4. SelectyourSydneyloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andatypeofSydney.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.
5. Createanotherrecordsetwithtypesettodeveloper.Thiswilladdanewrecordwiththesamenameyoucreatedearlier.Bothrecordswillworktogether.
6. SelectyourSaoPauloloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andtypeofSaoPaulo.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.
7. TestyourDNSbyvisitinghttp://developer.yourdomainname.comandrefreshingthepage.YoushouldbeaccessingtheSydneyserver50percentofthetimeandtheSaoPauloservertheother50percentofthetime.
YouhavenowcreatedaweightedDNSroutingpolicy.Youcancontinuetoexperimentwithotherroutingpoliciesbyfollowingthedocumentationathttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html.
EXERCISE9.5
CreateaHostedZoneforAmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCdetailsarecoveredinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”
CreateaPrivateHostedZone1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Createahostedzone,andenteryourprivatedomainname.
3. SelectthedefaultAmazonVPCthatyouusedinExercise9.2todeploythefirstserverintheAsiaPacific(Sydney)region.ClickCreate.Thiswillcreateanewzonefile.
VerifyAmazonVPCConfiguration4. ReturntotheAWSManagementConsole,andchangeyourregiontoAsiaPacific
(Sydney).
5. IntheAmazonVPCdashboard,chooseyourAmazonVPC.
6. ClickonthedefaultAmazonVPCfromthelist.EnsurethatbothDNSresolutionandDNShostnamesareenabled.Thesesettingsneedtouseprivatehostedzones.
CreateResourceRecordSets7. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53
dashboard.
8. Selectyournewly-createdprivatezonedomainname,andcreatearecordset.
9. EnterthenameyouwanttogivetoyourAmazonEC2instance(forexample,webserver1),andselectIPv4addresswithnoalias.
10. EntertheinternalIPaddressofyourAmazonEC2instancethatyounotedinExercise9.2.
11. LeaveyourroutingpolicysettoSimple,andclickCreate.
ConnecttoYourAmazonEC2Instance12. OntheAmazonEC2instancesscreen,waituntilyouseeyourvirtualmachine’s
instancestateasrunning.CopythepublicIPaddresstoyourclipboard.
13. UsinganSSHclientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.Forexample,ifyou’reusingTerminalinOSX,youwouldtypethefollowingcommand:
14. Whenpromptedabouttheauthenticityofthehost,typeYesandcontinue.YoushouldnowbeconnectedtoyourAmazonEC2instance.
15. Whileyou’reloggedintoyourAmazonEC2instance,runthefollowingcommandtocheckifthehostnamesinAmazonRoute53areresolving:
nslookupwebserver1.yourprivatehostedzone.com
16. Youshouldreceiveanon-authoritativeanswerwiththehostnameandIPaddressfortherecordsetthatyoucreatedinAmazonRoute53.
YouhavenowcreatedaprivatehostedzoneinAmazonRoute53andassociateditwithanAmazonVPC.YoucancontinuetoaddinstancesinAmazonVPCandcreateresourcerecordsetsfortheminAmazonRoute53.Thesenewinstanceswouldbeabletointer-communicatewiththeinstancesinthesameAmazonVPCusingthedomainnamethatyoucreated.
RemembertodeleteyourAmazonEC2instancesandElasticLoadBalancingloadbalancersafteryou’vefinishedexperimentingwithyourdifferentroutingpolicies.Youmayalsowanttodeletethezoneifyouarenolongerusingit.
ReviewQuestions1. WhichtypeofrecordiscommonlyusedtoroutetraffictoanIPv6address?
A. AnArecord
B. ACNAME
C. AnAAAArecord
D. AnMXrecord
2. Wheredoyouregisteradomainname?
A. Withyourlocalgovernmentauthority
B. Withadomainregistrar
C. WithInterNICdirectly
D. WiththeInternetAssignedNumbersAuthority(IANA)
3. YouhaveanapplicationthatforlegalreasonsmustbehostedintheUnitedStateswhenU.S.citizensaccessit.TheapplicationmustbehostedintheEuropeanUnionwhencitizensoftheEUaccessit.Forallothercitizensoftheworld,theapplicationmustbehostedinSydney.Whichroutingpolicyshouldyouchooseinordertoachievethis?
A. Latency-basedrouting
B. Simplerouting
C. Geolocationrouting
D. Failoverrouting
4. WhichtypeofDNSrecordshouldyouusetoresolveanIPaddresstoadomainname?
A. AnArecord
B. ACName
C. AnSPFrecord
D. APTRrecord
5. YouhostawebapplicationacrossmultipleAWSregionsintheworld,andyouneedtoconfigureyourDNSsothatyourenduserswillgetthefastestnetworkperformancepossible.Whichroutingpolicyshouldyouapply?
A. Geolocationrouting
B. Latency-basedrouting
C. Simplerouting
D. Weightedrouting
6. WhichDNSrecordshouldyouusetoconfigurethetransmissionofemailtoyourintendedmailserver?
A. SPFrecords
B. Arecords
C. MXrecords
D. SOArecord
7. WhichDNSrecordsarecommonlyusedtostopemailspoofingandspam?
A. MXrecords
B. SPFrecords
C. Arecords
D. Cnames
8. YouarerollingoutAandBtestversionsofawebapplicationtoseewhichversionresultsinthemostsales.Youneed10percentofyourtraffictogotoversionA,10percenttogotoversionB,andtheresttogotoyourcurrentproductionversion.Whichroutingpolicyshouldyouchoosetoachievethis?
A. Simplerouting
B. Weightedrouting
C. Geolocationrouting
D. Failoverrouting
9. WhichDNSrecordmustallzoneshavebydefault?
A. SPF
B. TXT
C. MX
D. SOA
10. YourcompanyhasitsprimaryproductionsiteinWesternEuropeanditsDRsiteintheAsiaPacific.YouneedtoconfigureDNSsothatifyourprimarysitebecomesunavailable,youcanfailDNSovertothesecondarysite.WhichDNSroutingpolicywouldbestachievethis?
A. Weightedrouting
B. Geolocationrouting
C. Simplerouting
D. Failoverrouting
11. WhichtypeofDNSrecordshouldyouusetoresolveadomainnametoanotherdomainname?
A. AnArecord
B. ACNAMErecord
C. AnSPFrecord
D. APTRrecord
12. WhichisafunctionthatAmazonRoute53doesnotperform?
A. Domainregistration
B. DNSservice
C. Loadbalancing
D. Healthchecks
13. WhichDNSrecordcanbeusedtostorehuman-readableinformationaboutaserver,network,andotheraccountingdatawithahost?
A. ATXTrecord
B. AnMXrecord
C. AnSPFrecord
D. APTRrecord
14. Whichresourcerecordsetwouldnotbeallowedforthehostedzoneexample.com?
A. www.example.com
B. www.aws.example.com
C. www.example.ca
D. www.beta.example.com
15. WhichportnumberisusedtoserverequestsbyDNS?
A. 22
B. 53
C. 161
D. 389
16. WhichprotocolisprimarilyusedbyDNStoserverequests?
A. TransmissionControlProtocol(TCP)
B. HyperTextTransferProtocol(HTTP)
C. FileTransferProtocol(FTP)
D. UserDatagramProtocol(UDP)
17. WhichprotocolisusedbyDNSwhenresponsedatasizeexceeds512bytes?
A. TransmissionControlProtocol(TCP)
B. HyperTextTransferProtocol(HTTP)
C. FileTransferProtocol(FTP)
D. UserDatagramProtocol(UDP)
18. WhatarethedifferenthostedzonesthatcanbecreatedinAmazonRoute53?
1. Publichostedzone
2. Globalhostedzone
3. Privatehostedzone
A. 1and2
B. 1and3
C. 2and3
D. 1,2,and3
19. AmazonRoute53cannotroutequeriestowhichAWSresource?
A. AmazonCloudFrontdistribution
B. ElasticLoadBalancingloadbalancer
C. AmazonEC2
D. AWSOpsWorks
20. WhenconfiguringAmazonRoute53asyourDNSserviceforanexistingdomain,whichisthefirststepthatneedstobeperformed?
A. Createhostedzones.
B. Createresourcerecordsets.
C. RegisteradomainwithAmazonRoute53.
D. TransferdomainregistrationfromcurrentregistrartoAmazonRoute53.
Chapter10AmazonElastiCacheTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Planninganddesign
Architecturaltrade-offdecisions
BestpracticesforAWSarchitecture
Elasticityandscalability
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSadministrationandsecurityservices
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
IntroductionThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.ByusingtheAmazonElastiCacheservice,youcanoffloadtheheavyliftinginvolvedinthedeploymentandoperationofcacheenvironmentsrunningMemcachedorRedis.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:
Howtoimproveapplicationperformanceusingcaching
Howtolaunchcacheenvironmentsinthecloud
WhatarethebasicdifferencesandusecasesforMemcachedandRedis?
Howtoscaleyourclustervertically
HowtoscaleyourMemcachedclusterhorizontallyusingadditionalcachenodes
HowtoscaleyourRedisclusterhorizontallyusingreplicationgroups
HowtobackupandrecoveryourRediscluster
Howtoapplyalayeredsecuritymodel
In-MemoryCachingOneofthecommoncharacteristicsofasuccessfulapplicationisafastandresponsiveuserexperience.Researchhasshownthatuserswillgetfrustratedandleaveawebsiteorappwhenitisslowtorespond.In2007,testingofAmazon.com’sretailsiteshowedthatforevery100msincreaseinloadtimes,salesdecreasedby1%.Round-tripsbackandforthtoadatabaseanditsunderlyingstoragecanaddsignificantdelaysandareoftenthetopcontributortoapplicationlatency.
Cachingfrequently-useddataisoneofthemostimportantperformanceoptimizationsyoucanmakeinyourapplications.Comparedtoretrievingdatafromanin-memorycache,queryingadatabaseisanexpensiveoperation.Bystoringormovingfrequentlyaccesseddatain-memory,applicationdeveloperscansignificantlyimprovetheperformanceandresponsivenessofread-heavyapplications.Forexample,theapplicationsessionstateforalargewebsitecanbestoredinanin-memorycachingengine,insteadofstoringthesessiondatainthedatabase.
Formanyyears,developershavebeenbuildingapplicationsthatusecacheengineslikeMemcachedorRedistostoredatain-memorytogetblazingfastapplicationperformance.Memcachedisasimple-to-usein-memorykey/valuestorethatcanbeusedtostorearbitrarytypesofdata.Itisoneofthemostpopularcacheengines.Redisisaflexiblein-memorydatastructurestorethatcanbeusedasacache,database,orevenasamessagebroker.AmazonElastiCacheallowsdeveloperstoeasilydeployandmanagecacheenvironmentsrunningeitherMemcachedorRedis.
AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesthesetupandmanagementofdistributedin-memorycachingenvironments.Thisservicemakesiteasyandcosteffectivetoprovideahigh-performanceandscalablecachingsolutionforyourcloudapplications.YoucanuseAmazonElastiCacheinyourapplicationstospeedthedeploymentofcacheclustersandreducetheadministrationrequiredforadistributedcacheenvironment.
WithAmazonElastiCache,youcanchoosefromaMemcachedorRedisprotocol-compliantcacheengineandquicklylaunchaclusterwithinminutes.BecauseAmazonElastiCacheisamanagedservice,youcanstartusingtheservicetodaywithveryfewornomodificationstoyourexistingapplicationsthatuseMemcachedorRedis.BecauseAmazonElastiCacheisprotocol-compliantwithbothoftheseengines,youonlyneedtochangetheendpointinyourconfigurationfiles.
UsingAmazonElastiCache,youcanimplementanynumberofcachingpatterns.Themostcommonpatternisthecache-asidepatterndepictedinFigure10.1.Inthisscenario,theappserverchecksthecachefirsttoseeifitcontainsthedataitneeds.Ifthedatadoesnotexistinthecachenode,itwillquerythedatabaseandserializeandwritethequeryresultstothecache.Thenextuserrequestwillthenbeabletoreadthedatadirectlyfromthecacheinsteadofqueryingthedatabase.
FIGURE10.1Commoncachingarchitecture
WhileitiscertainlypossibletobuildandmanageacacheclusteryourselfonAmazonElasticComputeCloud(AmazonEC2),AmazonElastiCacheallowsyoutooffloadtheheavyliftingofinstallation,patchmanagement,andmonitoringtoAWSsoyoucanfocusonyourapplicationinstead.AmazonElastiCachealsoprovidesanumberoffeaturestoenhancethereliabilityofcriticaldeployments.Whileitisrare,theunderlyingAmazonEC2instancescanbecomeimpaired.AmazonElastiCachecanautomaticallydetectandrecoverfromthefailureofacachenode.WiththeRedisengine,AmazonElastiCachemakesiteasytosetupreadreplicasandfailoverfromtheprimarytoareplicaintheeventofaproblem.
DataAccessPatternsRetrievingaflatkeyfromanin-memorycachewillalwaysbefasterthanthemostoptimizeddatabasequery.Youshouldevaluatetheaccesspatternofthedatabeforeyoudecidetostoreitincache.Agoodexampleofsomethingtocacheisthelistofproductsinacatalog.Forabusywebsite,thelistofitemscouldberetrievedthousandsoftimespersecond.Whileitmakessensetocachethemostheavilyrequesteditems,youcanalsobenefitfromcachingitemsthatarenotfrequentlyrequested.
Therearealsosomedataitemsthatshouldnotbecached.Forexample,ifyougenerateauniquepageeveryrequest,youprobablyshouldnotcachethepageresults.However,even
thoughthepagechangeseverytime,itdoesmakesensetocachethecomponentsofthepagethatdonotchange.
CacheEnginesAmazonElastiCacheallowsyoutoquicklydeployclustersoftwodifferenttypesofpopularcacheengines:MemcachedandRedis.Atahighlevel,MemcachedandRedismayseemsimilar,buttheysupportavarietyofdifferentusecasesandprovidedifferentfunctionality.
MemcachedMemcachedprovidesaverysimpleinterfacethatallowsyoutowriteandreadobjectsintoin-memorykey/valuedatastores.WithAmazonElastiCache,youcanelasticallygrowandshrinkaclusterofMemcachednodestomeetyourdemands.Youcanpartitionyourclusterintoshardsandsupportparallelizedoperationsforveryhighperformancethroughput.Memcacheddealswithobjectsasblobsthatcanberetrievedusingauniquekey.Whatyouputintotheobjectisuptoyou,anditistypicallytheserializedresultsfromadatabasequery.Thiscouldbesimplestringvaluesorbinarydata.
AmazonElastiCachesupportsanumberofrecentversionsofMemcached.Asofearly2016,theservicesupportsMemcachedversion1.4.24,andalsoolderversionsgoingbackto1.4.5.WhenanewversionofMemcachedisreleased,AmazonElastiCachesimplifiestheupgradeprocessbyallowingyoutospinupanewclusterwiththelatestversion.
RedisInlate2013,AmazonElastiCacheaddedsupporttodeployRedisclusters.Atthetimeofthiswriting,theservicesupportsthedeploymentofRedisversion2.8.24,andalsoanumberofolderversions.BeyondtheobjectsupportprovidedinMemcached,Redissupportsarichsetofdatatypeslikesstrings,lists,andsets.
UnlikeMemcached,Redissupportstheabilitytopersistthein-memorydataontodisk.Thisallowsyoutocreatesnapshotsthatbackupyourdataandthenrecoverorreplicatefromthebackups.Redisclustersalsocansupportuptofivereadreplicastooffloadreadrequests.Intheeventoffailureoftheprimarynode,areadreplicacanbepromotedandbecomethenewmasterusingMulti-AZreplicationgroups.
Redisalsohasadvancedfeaturesthatmakeiteasytosortandrankdata.Somecommonusecasesincludebuildingaleaderboardforamobileapplicationorservingasahigh-speedmessagebrokerinadistributedsystem.WithaRediscluster,youcanleverageapublishandsubscribemessagingabstractionthatallowsyoutodecouplethecomponentsofyourapplications.Apublishandsubscribemessagingarchitecturegivesyoutheflexibilitytochangehowyouconsumethemessagesinthefuturewithoutaffectingthecomponentthatisproducingthemessagesinthefirstplace.
NodesandClustersEachdeploymentofAmazonElastiCacheconsistsofoneormorenodesinacluster.Therearemanydifferenttypesofnodesavailabletochoosefrombasedonyourusecaseandthenecessaryresources.AsingleMemcachedclustercancontainupto20nodes.Redisclustersarealwaysmadeupofasinglenode;however,multipleclusterscanbegroupedintoaRedisreplicationgroup.
TheindividualnodetypesarederivedfromasubsetoftheAmazonEC2instancetypefamilies,liket2,m3,andr3.Thespecificnodetypesmaychangeovertime,buttodaythey
rangefromat2.micronodetypewith555MBofmemoryuptoanr3.8xlargewith237GBofmemory,withmanychoicesinbetween.Thet2cachenodefamilyisidealfordevelopmentandlow-volumeapplicationswithoccasionalbursts,butcertainfeaturesmaynotbeavailable.Them3familyisagoodblendofcomputeandmemory,whilether3familyisoptimizedformemory-intensiveworkloads.
Dependingonyourneeds,youmaychoosetohaveafewlargenodesormanysmallernodesinyourclusterorreplicationgroup.Asdemandforyourapplicationchanges,youmayalsoaddorremovenodesfromtimetotime.Eachnodetypecomeswithapreconfiguredamountofmemory,withasmallamountofthememoryallocatedtothecachingengineandoperatingsystemitself.
DesignforFailure
Whileitisunlikely,youshouldplanforthepotentialfailureofanindividualcachenode.ForMemcachedclusters,youcandecreasetheimpactofthefailureofacachenodebyusingalargernumberofnodeswithasmallercapacity,insteadofafewlargenodes.
IntheeventthatAmazonElastiCachedetectsthefailureofanode,itwillprovisionareplacementandadditbacktothecluster.Duringthistime,yourdatabasewillexperienceincreasedload,becauseanyrequeststhatwouldhavebeencachedwillnowneedtobereadfromthedatabase.ForRedisclusters,AmazonElastiCachewilldetectfailureandreplacetheprimarynode.IfaMulti-AZreplicationgroupisenabled,areadreplicacanbeautomaticallypromotedtoprimary.
MemcachedAutoDiscoveryForMemcachedclusterspartitionedacrossmultiplenodes,AmazonElastiCachesupportsAutoDiscoverywiththeprovidedclientlibrary.AutoDiscoverysimplifiesyourapplicationcodebynolongerneedingawarenessoftheinfrastructuretopologyofthecacheclusterinyourapplicationlayer.
UsingAutoDiscovery
TheAutoDiscoveryclientgivesyourapplicationstheabilitytoidentifyautomaticallyallofthenodesinacacheclusterandtoinitiateandmaintainconnectionstoallofthesenodes.TheAutoDiscoveryclientisavailablefor.NET,Java,andPHPplatforms.
ScalingAmazonElastiCacheallowsyoutoadjustthesizeofyourenvironmenttomeettheneedsofworkloadsastheyevolveovertime.Addingadditionalcachenodesallowsyoutoeasilyexpandhorizontallyandmeethigherlevelsofreadorwriteperformance.Youcanalsoselectdifferentclassesofcachenodestoscalevertically.
HorizontalScalingAmazonElastiCachealsoaddsadditionalfunctionalitythatallowsyoutoscalehorizontallythesizeofyourcacheenvironment.Thisfunctionalitydiffersdepending
onthecacheengineyouhaveselected.WithMemcached,youcanpartitionyourdataandscalehorizontallyto20nodesormore.WithAutoDiscovery,yourapplicationcandiscoverMemcachednodesthatareaddedorremovedfromacluster.
ARedisclusterconsistsofasinglecachenodethatishandlingreadandwritetransactions.AdditionalclusterscanbecreatedandgroupedintoaRedisreplicationgroup.Whileyoucanonlyhaveonenodehandlingwritecommands,youcanhaveuptofivereadreplicashandlingread-onlyrequests.
VerticalScalingSupportforverticalscalingismorelimitedwithAmazonElastiCache.Ifyouliketochangethecachenodetypeandscalethecomputeresourcesvertically,theservicedoesnotdirectlyallowyoutoresizeyourclusterinthismanner.Youcan,however,quicklyspinupanewclusterwiththedesiredcachenodetypesandstartredirectingtraffictothenewcluster.It’simportanttounderstandthatanewMemcachedclusteralwaysstartsempty,whileaRedisclustercanbeinitializedfromabackup.
ReplicationandMulti-AZReplicationisausefultechniquetoproviderapidrecoveryintheeventofanodefailure,andalsotoserveupveryhighvolumesofreadqueriesbeyondthecapabilitiesofasinglenode.AmazonElastiCacheclustersrunningRedissupportbothofthesedesignrequirements.UnlikeRedis,cacheclustersrunningMemcachedarestandalonein-memoryserviceswithoutanyredundantdataprotectionservices.
CacheclustersrunningRedissupporttheconceptofreplicationgroups.Areplicationgroupconsistsofuptosixclusters,withfiveofthemdesignatedasreadreplicas.Thisallowsyoutoscalehorizontallybywritingcodeinyourapplicationtooffloadreadstooneofthefiveclones(seeFigure10.2).
FIGURE10.2Redisreplicationgroup
Multi-AZReplicationGroupsYoucanalsocreateaMulti-AZreplicationgroupthatallowsyoutoincreaseavailabilityandminimizethelossofdata.Multi-AZsimplifiestheprocessofdealingwithafailurebyautomatingthereplacementandfailoverfromtheprimarynode.
Intheeventtheprimarynodefailsorcan’tbereached,Multi-AZwillselectandpromoteareadreplicatobecomethenewprimary,andanewnodewillbeprovisionedtoreplacethefailedone.AmazonElastiCachewillthenupdatetheDomainNameSystem(DNS)entryofthenewprimarynodetoallowyourapplicationtocontinueprocessingwithoutanyconfigurationchangeandwithonlyashortdisruption.
UnderstandThatReplicationIsAsynchronous
It’simportanttokeepinmindthatreplicationbetweentheclustersisperformedasynchronouslyandtherewillbeasmalldelaybeforedataisavailableonallclusternodes.
BackupandRecoveryAmazonElastiCacheclustersrunningRedisallowyoutopersistyourdatafromin-memoryto
diskandcreateasnapshot.Eachsnapshotisafullcloneofthedatathatcanbeusedtorecovertoaspecificpointintimeortocreateacopyforotherpurposes.SnapshotscannotbecreatedforclustersusingtheMemcachedenginebecauseitisapurelyin-memorykey/valuestoreandalwaysstartsempty.AmazonElastiCacheusesthenativebackupcapabilitiesofRedisandwillgenerateastandardRedisdatabasebackupfilethatgetsstoredinAmazonSimpleStorageService(AmazonS3).
Snapshotsrequirecomputeandmemoryresourcestoperformandcanpotentiallyhaveaperformanceimpactonheavilyusedclusters.AmazonElastiCachewilltrydifferentbackuptechniquesdependingontheamountofmemorycurrentlyavailable.Abestpracticeistosetupareplicationgroupandperformasnapshotagainstoneofthereadreplicasinsteadoftheprimarynode.
Inadditiontomanuallyinitiatedsnapshots,snapshotscanbecreatedautomaticallybasedonaschedule.Youcanalsoconfigureawindowforthesnapshotoperationtobecompletedandspecifyhowmanydaysofbackupsyouwanttostore.Manualsnapshotsarestoredindefinitelyuntilyoudeletethem.
BackupRedisClusters
UseacombinationofautomaticandmanualsnapshotstomeetyourrecoveryobjectivesforyourRediscluster.Memcachedispurelyin-memoryanddoesnothavenativebackupcapabilities.
Whetherthesnapshotwascreatedautomaticallyormanually,thesnapshotcanthenbeusedtocreateanewclusteratanytime.Bydefault,thenewclusterwillhavethesameconfigurationasthesourcecluster,butyoucanoverridethesesettings.YoucanalsorestorefromanRDBfilegeneratedfromanyothercompatibleRediscluster.
AccessControlAccesstoyourAmazonElastiCacheclusteriscontrolledprimarilybyrestrictinginboundnetworkaccesstoyourcluster.Inboundnetworktrafficisrestrictedthroughtheuseofsecuritygroups.Eachsecuritygroupdefinesoneormoreinboundrulesthatrestrictthesourcetraffic.WhendeployedinsideofaVirtualPrivateCloud(VPC),eachnodewillbeissuedaprivateIPaddresswithinoneormoresubnetsthatyouselect.IndividualnodescanneverbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheVPC.YoucanfurtherrestrictnetworkingressatthesubnetlevelbymodifyingthenetworkAccessControlLists(ACLs).
AccesstomanagetheconfigurationandinfrastructureoftheclusteriscontrolledseparatelyfromaccesstotheactualMemcachedorRedisserviceendpoint.UsingtheAWSIdentityandAccessManagement(IAM)service,youcandefinepoliciesthatcontrolwhichAWSuserscanmanagetheAmazonElastiCacheinfrastructureitself.
SomeofthekeyactionsanadministratorcanperformincludeCreateCacheCluster,ModifyCacheCluster,orDeleteCacheCluster.RedisclustersalsosupportCreateReplicationGroupandCreateSnapshotactions,amongothers.
SummaryInthischapter,youlearnedaboutcachingenvironmentswithinthecloudusingAmazonElastiCache.YoucanquicklylaunchclustersrunningMemcachedorRedistostorefrequentlyuseddatain-memory.Cachingcanspeeduptheresponsetimeofyourapplications,reduceloadonyourback-enddatastores,andimprovetheuserexperience.
WithAmazonElastiCache,youcanoffloadtheadministrativetasksforprovisioningandoperatingclustersandfocusontheapplication.Eachcacheclustercontainsoneormorenodes.Selectfromarangeofnodetypestogivetherightmixofcomputeandmemoryresourcesforyourusecase.
YoucanexpandbothMemcachedandRedisclustersverticallybyselectingalargerorsmallernodetypetomatchyourneeds.WithAmazonElastiCacheandtheMemcachedengine,youcanalsoscaleyourclusterhorizontallybyaddingorremovingnodes.WithAmazonElastiCacheandtheRedisengine,youcanalsoscalehorizontallybycreatingareplicationgroupthatwillautomaticallyreplicateacrossmultiplereadreplicas.
StreamlineyourbackupandrecoveryprocessforRedisclusterswithAmazonElastiCache’sconsistentoperationalmodel.WhileMemcachedclustersarein-memoryonlyandcannotbepersisted,Redisclusterssupportbothautomatedandmanualsnapshots.Asnapshotcanthenberestoredtorecoverfromafailureortocloneanenvironment.
YoucansecureyourcacheenvironmentsatthenetworklevelwithsecuritygroupsandnetworkACLs,andattheinfrastructurelevelusingIAMpolicies.Securitygroupswillserveasyourprimaryaccesscontrolmechanismtorestrictinboundaccessforactiveclusters.
Youshouldanalyzeyourdatausagepatternsandidentifyfrequentlyrunqueriesorotherexpensiveoperationsthatcouldbecandidatesforcaching.Youcanrelievepressurefromyourdatabasebyoffloadingreadrequeststothecachetier.Dataelementsthatareaccessedoneverypageload,orwitheveryrequestbutdonotchange,areoftenprimecandidatesforcaching.Evendatathatchangesfrequentlycanoftenbenefitfrombeingcachedwithverylargerequestvolumes.
ExamEssentialsKnowhowtouseAmazonElastiCache.ImprovetheperformanceofyourapplicationbydeployingAmazonElastiCacheclustersaspartofyourapplicationandoffloadingreadrequestsforfrequentlyaccesseddata.Usethecache-asidepatterninyourapplicationfirsttocheckthecacheforyourqueryresultsbeforecheckingthedatabase.
Understandwhentouseaspecificcacheengine.AmazonElastiCachegivesyouthechoiceofcacheenginetosuityourrequirements.UseMemcachedwhenyouneedasimple,in-memoryobjectstorethatcanbeeasilypartitionedandscaledhorizontally.UseRediswhenyouneedtobackupandrestoreyourdata,needmanyclonesorreadreplicas,orarelookingforadvancedfunctionalitylikesortandrankorleaderboardsthatRedisnativelysupports.
UnderstandhowtoscaleaRedisclusterhorizontally.AnAmazonElastiCacheclusterrunningRediscanbescaledhorizontallyfirstbycreatingareplicationgroup,thenbycreatingadditionalclustersandaddingthemtothereplicationgroup.
UnderstandhowtoscaleaMemcachedclusterhorizontally.AnAmazonElastiCacheclusterrunningMemcachedcanbescaledhorizontallybyaddingorremovingadditionalcachenodestothecluster.TheAmazonElastiCacheclientlibrarysupportsAutoDiscoveryandcandiscovernewnodesaddedorremovedfromtheclusterwithouthavingtohardcodethelistofnodes.
KnowhowtobackupyourAmazonElastiCachecluster.YoucancreateasnapshottobackupyourAmazonElastiCacheclustersrunningtheRedisengine.Snapshotscanbecreatedautomaticallyonadailybasisormanuallyondemand.AmazonElastiCacheclustersrunningMemcacheddonotsupportbackupandrestorenatively.
ExercisesInthissection,youwillcreateacacheclusterusingAmazonElastiCache,expandtheclusterwithadditionalnodes,andfinallycreateareplicationgroupwithanAmazonElastiCacheRediscluster.
EXERCISE10.1
CreateanAmazonElastiCacheClusterRunningMemcachedInthisexercise,youwillcreateanAmazonElastiCacheclusterusingtheMemcachedengine.
1. WhilesignedintotheAWSManagementConsole,opentheAmazonElastiCacheservicedashboard.
2. BeginthelaunchandconfigurationprocesstocreateanewAmazonElastiCachecluster.
3. SelecttheMemcachedcacheengine,andconfiguretheclustername,numberofnodes,andnodetype.
4. Optionallyconfigurethesecuritygroupandmaintenancewindowasneeded.
5. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.
6. ConnecttotheclusterwithanyMemcachedclientusingtheDNSnameofthecluster.
YouhavenowcreatedyourfirstAmazonElastiCachecluster.
EXERCISE10.2
ExpandtheSizeofaMemcachedClusterInthisexercise,youwillexpandthesizeofanexistingAmazonElastiCacheMemcachedcluster.
1. LaunchaMemcachedclusterusingthestepsdefinedinExercise10.1.
2. GototheAmazonElastiCachedashboard,andviewthedetailsofyourexistingcluster.
3. Viewthelistofnodescurrentlyprovisioned,andthenaddoneadditionalnodebyincreasingthenumberofnodes.
4. Applytheconfigurationchange,andwaitforthenewnodetofinishtheprovisioningprocess.
5. Verifythatthenewnodehasbeencreated,andconnecttothenodeusingaMemcachedclient.
Inthisexercise,youhavehorizontallyscaledanexistingAmazonElastiCacheclusterbyaddingacachenode.
EXERCISE10.3
CreateanAmazonElastiCacheClusterandRedisReplicationGroupInthisexercise,youwillcreateanAmazonElastiCacheclusterusingRedisnodes,createareplicationgroup,andsetupareadreplica.
1. SignintotheAWSManagementConsole,andnavigatetotheAmazonElastiCacheservicedashboard.
2. BegintheconfigurationandlaunchprocessforanewAmazonElastiCachecluster.
3. SelecttheRediscacheengine,andthenconfigureareplicationgroupandthenodetype.
4. Configureareadreplicabysettingthenumberofreadreplicasto1,andverifythatEnableReplicationandMulti-AZareselected.
5. AdjusttheAvailabilityZonesfortheprimaryandreadreplicaclusters,securitygroups,andmaintenancewindow,asneeded.
6. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.
7. ConnecttotheprimarynodeandthereadreplicanodewithaRedisclientlibrary.Performasimplesetoperationontheprimarynode,andthenperformagetoperationwiththesamekeyonthereplica.
YouhavenowcreatedanAmazonElastiCacheclusterusingtheRedisengineandconfiguredareadreplica.
ReviewQuestions1. Whichofthefollowingobjectsaregoodcandidatestostoreinacache?(Choose3answers)
A. Sessionstate
B. Shoppingcart
C. Productcatalog
D. Bankaccountbalance
2. WhichofthefollowingcacheenginesaresupportedbyAmazonElastiCache?(Choose2answers)
A. MySQL
B. Memcached
C. Redis
D. Couchbase
3. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningMemcached?
A. 1
B. 5
C. 20
D. 100
4. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningRedis?
A. 1
B. 5
C. 20
D. 100
5. AnapplicationcurrentlyusesMemcachedtocachefrequentlyuseddatabasequeries.WhichstepsarerequiredtomigratetheapplicationtouseAmazonElastiCachewithminimalchanges?(Choose2answers)
A. RecompiletheapplicationtousetheAmazonElastiCachelibraries.
B. UpdatetheconfigurationfilewiththeendpointfortheAmazonElastiCachecluster.
C. Configureasecuritygrouptoallowaccessfromtheapplicationservers.
D. ConnecttotheAmazonElastiCachenodesusingSecureShell(SSH)andinstallthelatestversionofMemcached.
6. HowcanyoubackupdatastoredinAmazonElastiCacherunningRedis?(Choose2answers)
A. CreateanimageoftheAmazonElasticComputeCloud(AmazonEC2)instance.
B. Configureautomaticsnapshotstobackupthecacheenvironmenteverynight.
C. Createasnapshotmanually.
D. Redisclusterscannotbebackedup.
7. HowcanyousecureanAmazonElastiCachecluster?(Choose3answers)
A. ChangetheMemcachedrootpassword.
B. RestrictApplicationProgrammingInterface(API)actionsusingAWSIdentityandAccessManagement(IAM)policies.
C. Restrictnetworkaccessusingsecuritygroups.
D. RestrictnetworkaccessusinganetworkAccessControlList(ACL).
8. Youareworkingonamobilegamingapplicationandarebuildingtheleaderboardfeaturetotrackthetopscoresacrossmillionsofusers.WhichAWSservicesarebestsuitedforthisusecase?
A. AmazonRedshift
B. AmazonElastiCacheusingMemcached
C. AmazonElastiCacheusingRedis
D. AmazonSimpleStorageService(S3)
9. YouhavebuiltalargewebapplicationthatusesAmazonElastiCacheusingMemcachedtostorefrequentqueryresults.Youplantoexpandboththewebfleetandthecachefleetmultipletimesoverthenextyeartoaccommodateincreasedusertraffic.Howdoyouminimizetheamountofchangesrequiredwhenascalingeventoccurs?
A. ConfigureAutoDiscoveryontheclientside
B. ConfigureAutoDiscoveryontheserverside
C. Updatetheconfigurationfileeachtimeanewcluster
D. UseanElasticLoadBalancertoproxytherequests
10. WhichcacheenginesdoesAmazonElastiCachesupport?(Choose2answers)
A. Memcached
B. Redis
C. Membase
D. Couchbase
Chapter11AdditionalKeyServicesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMTOPICSOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSplatformcompliance
AWSsecurityattributes(customerworkloadsdowntophysicallayer)
AWSadministrationandsecurityservices
AWSCloudTrail
Ingressvs.egressfilteringandwhichAWScloudservicesandfeaturesfit
Encryptionsolutions(e.g.,keyservices)
AWSTrustedAdvisor
3.2Recognizecriticaldisasterrecoverytechniquesandtheir
implementation.
Contentmayincludethefollowing:
AWSImport/Export
AWSStorageGateway
IntroductionBecauseSolutionsArchitectsareofteninvolvedinsolutionsacrossawidevarietyofbusinessverticalsandusecases,itisimportanttounderstandthebasicsofallAWScloudserviceofferings.ThischapterfocusesonadditionalkeyAWSservicesthatyoushouldknowatahighleveltobesuccessfulontheexam.Theseservicesaregroupedintofourcategories:StorageandContentDelivery,Security,Analytics,andDevOps.
Beforearchitectinganysystem,foundationalpracticesthatinfluencesecurityshouldbeinplace;forexample,providingdirectoriesthatcontainorganizationalinformationorhowencryptionprotectsdatabywayofrenderingitunintelligibletounauthorizedaccess.AsaSolutionsArchitect,understandingtheAWScloudservicesavailabletosupportanorganization’sdirectoriesandencryptionareimportantbecausetheysupportobjectivessuchasidentitymanagementorcomplyingwithregulatoryobligations.
Architectinganalyticalsolutionsiscriticalbecausetheamountofdatathatcompaniesneedtounderstandcontinuestogrowtorecordsizes.AWSprovidesanalyticservicesthatcanscaletoverylargedatastoresefficientlyandcost-effectively.UnderstandingtheseservicesallowsSolutionsArchitectstobuildvirtuallyanybigdataapplicationandsupportanyworkloadregardlessofvolume,velocity,andvarietyofdata.
DevOpsbecomesanimportantconceptasthepaceofinnovationacceleratesandcustomerneedsrapidlyevolve,forcingbusinessestobecomeincreasinglyagile.Timetomarketiskey,andtofacilitateoverallbusinessgoals,ITdepartmentsneedtobeagile.UnderstandingtheDevOpsoptionsthatareavailableonAWSwillhelpSolutionsArchitectsmeetthedemandsofagilebusinessesthatneedIToperationstodeployapplicationsinaconsistent,repeatable,andreliablemanner.
Understandingtheseadditionalserviceswillnotonlyhelpinyourexampreparation,butitwillalsohelpyouestablishafoundationforgrowingasaSolutionsArchitectontheAWSplatform.
StorageandContentDeliveryThissectioncoverstwoadditionalstorageandcontentdeliveryservicesthatareimportantforaSolutionsArchitecttounderstand:AmazonCloudFrontandAWSStorageGateway.
AmazonCloudFrontAmazonCloudFrontisaglobalContentDeliveryNetwork(CDN)service.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.
OverviewAContentDeliveryNetwork(CDN)isagloballydistributednetworkofcachingserversthatspeedupthedownloadingofwebpagesandothercontent.CDNsuseDomainNameSystem(DNS)geo-locationtodeterminethegeographiclocationofeachrequestforawebpageorothercontent,thentheyservethatcontentfromedgecachingserversclosesttothatlocationinsteadoftheoriginalwebserver.ACDNallowsyoutoincreasethescalabilityofawebsiteormobileapplicationeasilyinresponsetopeaktrafficspikes.Inmostcases,usingaCDNiscompletelytransparent—enduserssimplyexperiencebetterwebsiteperformance,whiletheloadonyouroriginalwebsiteisreduced.
AmazonCloudFrontisAWSCDN.ItcanbeusedtodeliveryourwebcontentusingAmazon’sglobalnetworkofedgelocations.Whenauserrequestscontentthatyou’reservingwithAmazonCloudFront,theuserisroutedtotheedgelocationthatprovidesthelowestlatency(timedelay),socontentisdeliveredwiththebestpossibleperformance.Ifthecontentisalreadyintheedgelocationwiththelowestlatency,AmazonCloudFrontdeliversitimmediately.Ifthecontentisnotcurrentlyinthatedgelocation,AmazonCloudFrontretrievesitfromtheoriginserver,suchasanAmazonSimpleStorageService(AmazonS3)bucketorawebserver,whichstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontisoptimizedtoworkwithotherAWScloudservicesastheoriginserver,includingAmazonS3buckets,AmazonS3staticwebsites,AmazonElasticComputeCloud(AmazonEC2),andElasticLoadBalancing.AmazonCloudFrontalsoworksseamlesslywithanynon-AWSoriginserver,suchasanexistingon-premiseswebserver.AmazonCloudFrontalsointegrateswithAmazonRoute53.
AmazonCloudFrontsupportsallcontentthatcanbeservedoverHTTPorHTTPS.Thisincludesanypopularstaticfilesthatareapartofyourwebapplication,suchasHTMLfiles,images,JavaScript,andCSSfiles,andalsoaudio,video,mediafiles,orsoftwaredownloads.AmazonCloudFrontalsosupportsservingdynamicwebpages,soitcanactuallybeusedtodeliveryourentirewebsite.Finally,AmazonCloudFrontsupportsmediastreaming,usingbothHTTPandRTMP.
AmazonCloudFrontBasicsTherearethreecoreconceptsthatyouneedtounderstandinordertostartusingCloudFront:distributions,origins,andcachecontrol.Withtheseconcepts,youcaneasilyuseCloudFronttospeedupdeliveryofstaticcontentfromyourwebsites.
DistributionsTouseAmazonCloudFront,youstartbycreatingadistribution,whichisidentifiedbyaDNSdomainnamesuchasd111111abcdef8.cloudfront.net.ToservefilesfromAmazonCloudFront,yousimplyusethedistributiondomainnameinplaceofyourwebsite’sdomainname;therestofthefilepathsstayunchanged.YoucanusetheAmazonCloudFrontdistributiondomainnameas-is,oryoucancreateauser-friendlyDNSnameinyourowndomainbycreatingaCNAMErecordinAmazonRoute53oranotherDNSservice.TheCNAMEisautomaticallyredirectedtoyourAmazonCloudFrontdistributiondomainname.
OriginsWhenyoucreateadistribution,youmustspecifytheDNSdomainnameoftheorigin—theAmazonS3bucketorHTTPserver—fromwhichyouwantAmazonCloudFronttogetthedefinitiveversionofyourobjects(webfiles).Forexample:
AmazonS3bucket:myawsbucket.s3.amazonaws.com
AmazonEC2instance:ec2–203–0–113–25.compute-1.amazonaws.com
ElasticLoadBalancingloadbalancer:my-load-balancer-1234567890.us-west-2.elb.amazonaws.com
WebsiteURL:mywebserver.mycompanydomain.com
CacheControlOncerequestedandservedfromanedgelocation,objectsstayinthecacheuntiltheyexpireorareevictedtomakeroomformorefrequentlyrequestedcontent.Bydefault,objectsexpirefromthecacheafter24hours.Onceanobjectexpires,thenextrequestresultsinAmazonCloudFrontforwardingtherequesttotheorigintoverifythattheobjectisunchangedortofetchanewversionifithaschanged.
Optionally,youcancontrolhowlongobjectsstayinanAmazonCloudFrontcachebeforeexpiring.Todothis,youcanchoosetouseCache-Controlheaderssetbyyouroriginserveroryoucansettheminimum,maximum,anddefaultTimetoLive(TTL)forobjectsinyourAmazonCloudFrontdistribution.
YoucanalsoremovecopiesofanobjectfromallAmazonCloudFrontedgelocationsatanytimebycallingtheinvalidationApplicationProgramInterface(API).ThisfeatureremovestheobjectfromeveryAmazonCloudFrontedgelocationregardlessoftheexpirationperiodyousetforthatobjectonyouroriginserver.Theinvalidationfeatureisdesignedtobeusedinunexpectedcircumstances,suchastocorrectanerrorortomakeanunanticipatedupdatetoawebsite,notaspartofyoureverydayworkflow.
Insteadofinvalidatingobjectsmanuallyorprogrammatically,itisabestpracticetouseaversionidentifieraspartoftheobject(file)pathname.Forexample:
Oldfile:assets/v1/css/narrow.css
Newfile:assets/v2/css/narrow.css
Whenusingversioning,usersalwaysseethelatestcontentthroughAmazonCloudFrontwhenyouupdateyoursitewithoutusinginvalidation.Oldversionswillexpirefromthecacheautomatically.
AmazonCloudFrontAdvancedFeaturesCloudFrontcandomuchmorethansimplyservestaticwebfiles.TostartusingCloudFront’sadvancedfeatures,youwillneedtounderstandhowtousecachebehaviors,andhowto
restrictaccesstosensitivecontent.
DynamicContent,MultipleOrigins,andCacheBehaviorsServingstaticassets,suchasdescribedpreviously,isacommonwaytouseaCDN.AnAmazonCloudFrontdistribution,however,caneasilybesetuptoservedynamiccontentinadditiontostaticcontentandtousemorethanoneoriginserver.Youcontrolwhichrequestsareservedbywhichoriginandhowrequestsarecachedusingafeaturecalledcachebehaviors.
AcachebehaviorletsyouconfigureavarietyofAmazonCloudFrontfunctionalitiesforagivenURLpathpatternforfilesonyourwebsite.ForexampleseeFigure11.1.OnecachebehaviorappliestoallPHPfilesinawebserver(dynamiccontent),usingthepathpattern*.php,whileanotherbehaviorappliestoallJPEGimagesinanotheroriginserver(staticcontent),usingthepathpattern*.jpg.
FIGURE11.1Deliveringstaticanddynamiccontent
Thefunctionalityyoucanconfigureforeachcachebehaviorincludesthefollowing:
Thepathpattern
Whichorigintoforwardyourrequeststo
Whethertoforwardquerystringstoyourorigin
WhetheraccessingthespecifiedfilesrequiressignedURLs
WhethertorequireHTTPSaccess
TheamountoftimethatthosefilesstayintheAmazonCloudFrontcache(regardlessofthevalueofanyCache-Controlheadersthatyouroriginaddstothefiles)
Cachebehaviorsareappliedinorder;ifarequestdoesnotmatchthefirstpathpattern,itdropsdowntothenextpathpattern.Normallythelastpathpatternspecifiedis*tomatchallfiles.
WholeWebsiteUsingcachebehaviorsandmultipleorigins,youcaneasilyuseAmazonCloudFronttoserveyourwholewebsiteandtosupportdifferentbehaviorsfordifferentclientdevices.
PrivateContentInmanycases,youmaywanttorestrictaccesstocontentinAmazonCloudFronttoonlyselectedrequestors,suchaspaidsubscribersortoapplicationsorusersinyourcompanynetwork.AmazonCloudFrontprovidesseveralmechanismstoallowyoutoserveprivatecontent.Theseinclude:
SignedURLsUseURLsthatarevalidonlybetweencertaintimesandoptionallyfromcertainIPaddresses.
SignedCookiesRequireauthenticationviapublicandprivatekeypairs.
OriginAccessIdentities(OAI)RestrictaccesstoanAmazonS3bucketonlytoaspecialAmazonCloudFrontuserassociatedwithyourdistribution.ThisistheeasiestwaytoensurethatcontentinabucketisonlyaccessedbyAmazonCloudFront.
UseCasesThereareseveralusecaseswhereAmazonCloudFrontisanexcellentchoice,including,butnotlimitedto:
ServingtheStaticAssetsofPopularWebsitesStaticassetssuchasimages,CSS,andJavaScripttraditionallymakeupthebulkofrequeststotypicalwebsites.UsingAmazonCloudFrontwillspeeduptheuserexperienceandreduceloadonthewebsiteitself.
ServingaWholeWebsiteorWebApplicationAmazonCloudFrontcanserveawholewebsitecontainingbothdynamicandstaticcontentbyusingmultipleorigins,cachebehaviors,andshortTTLsfordynamiccontent.
ServingContenttoUsersWhoAreWidelyDistributedGeographicallyAmazonCloudFrontwillimprovesiteperformance,especiallyfordistantusers,andreducetheloadonyouroriginserver.
DistributingSoftwareorOtherLargeFilesAmazonCloudFrontwillhelpspeedupthedownloadofthesefilestoendusers.
ServingStreamingMediaAmazonCloudFronthelpsservestreamingmedia,suchasaudioandvideo.
TherearealsousecaseswhereCloudFrontisnotappropriate,including:
AllorMostRequestsComeFromaSingleLocationIfallormostofyourrequestscomefromasinglegeographiclocation,suchasalargecorporatecampus,youwillnottakeadvantageofmultipleedgelocations.
AllorMostRequestsComeThroughaCorporateVPNSimilarly,ifyourusersconnectviaacorporateVirtualPrivateNetwork(VPN),eveniftheyaredistributed,userrequestsappeartoCloudFronttooriginatefromoneorafewlocations.TheseusecaseswillgenerallynotseebenefitfromusingAmazonCloudFront.
AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-
basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutostoredatasecurelyontheAWScloudinascalableandcost-effectivemanner.AWSStorageGatewaysupportsindustry-standardstorageprotocolsthatworkwithyourexistingapplications.Itprovideslow-latencyperformancebycachingfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.
OverviewAWSStorageGateway’ssoftwareapplianceisavailablefordownloadasaVirtualMachine(VM)imagethatyouinstallonahostinyourdatacenterandthenregisterwithyourAWSaccountthroughtheAWSManagementConsole.ThestorageassociatedwiththeapplianceisexposedasaniSCSIdevicethatcanbemountedbyyouron-premisesapplications.
TherearethreeconfigurationsforAWSStorageGateway:Gateway-Cachedvolumes,Gateway-Storedvolumes,andGateway-VirtualTapeLibraries(VTL).
Gateway-CachedVolumesGateway-CachedvolumesallowyoutoexpandyourlocalstoragecapacityintoAmazonS3.AlldatastoredonaGateway-CachedvolumeismovedtoAmazonS3,whilerecentlyreaddataisretainedinlocalstoragetoprovidelow-latencyaccess.Whileeachvolumeislimitedtoamaximumsizeof32TB,asinglegatewaycansupportupto32volumesforamaximumstorageof1PB.
Point-in-timesnapshotscanbetakentobackupyourAWSStorageGateway.Thesesnapshotsareperformedincrementally,andonlythedatathathaschangedsincethelastsnapshotisstored.
AllGateway-CachedvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSecureSocketsLayer(SSL)connections.ItisencryptedatrestinAmazonS3usingServer-SideEncryption(SSE).However,youcannotdirectlyaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console;insteadyoumustaccessitthroughtheAWSStorageGatewayservice.
Gateway-StoredVolumesGateway-Storedvolumesallowyoutostoreyourdataonyouron-premisesstorageandasynchronouslybackupthatdatatoAmazonS3.Thisprovideslow-latencyaccesstoalldata,whilealsoprovidingoff-sitebackupstakingadvantageofthedurabilityofAmazonS3.ThedataisbackedupintheformofAmazonElasticBlockStore(AmazonEBS)snapshots.Whileeachvolumeislimitedtoamaximumsizeof16TB,asinglegatewaycansupportupto32volumesforamaximumstorageof512TB.
SimilartoGateway-Cachedvolumes,youcantakesnapshotsofyourGateway-Storedvolumes.ThegatewaystoresthesesnapshotsinAmazonS3asAmazonEBSsnapshots.Whenyoutakeanewsnapshot,onlythedatathathaschangedsinceyourlastsnapshotisstored.Youcaninitiatesnapshotsonascheduledorone-timebasis.BecausethesesnapshotsarestoredasAmazonEBSsnapshots,youcancreateanewAmazonEBSvolumefromaGateway-Storedvolume.
AllGateway-StoredvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSSLconnections.ItisencryptedatrestinAmazonS3usingSSE.However,youcannotaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console.
Ifyouron-premisesapplianceorevenentiredatacenterbecomesunavailable,thedatainAWSStorageGatewaycanstillberetrieved.Ifit’sonlytheappliancethatisunavailable,anewappliancecanbelaunchedinthedatacenterandattachedtotheexistingAWSStorageGateway.AnewappliancecanalsobelaunchedinanotherdatacenterorevenonanAmazonEC2instanceonthecloud.
GatewayVirtualTapeLibraries(VTL)Gateway-VTLoffersadurable,cost-effectivesolutiontoarchiveyourdataontheAWScloud.TheVTLinterfaceletsyouleverageyourexistingtape-basedbackupapplicationinfrastructuretostoredataonvirtualtapecartridgesthatyoucreateonyourGateway-VTL.
Avirtualtapeisanalogoustoaphysicaltapecartridge,exceptthedataisstoredontheAWScloud.Tapesarecreatedblankthroughtheconsoleorprogrammaticallyandthenfilledwithbackedupdata.Agatewaycancontainupto1,500tapes(1PB)oftotaltapedata.Virtualtapesappearinyourgateway’sVTL,avirtualizedversionofaphysicaltapelibrary.Virtualtapesarediscoveredbyyourbackupapplicationusingitsstandardmediainventoryprocedure.
Whenyourtapesoftwareejectsatape,itisarchivedonaVirtualTapeShelf(VTS)andstoredinAmazonGlacier.You’reallowed1VTSperAWSregion,butmultiplegatewaysinthesameregioncanshareaVTS.
UseCasesThereareseveralusecaseswhereAWSStorageGatewayisanexcellentchoice,including,butnotlimitedto:
Gateway-CachedvolumesenableyoutoexpandlocalstoragehardwaretoAmazonS3,allowingyoutostoremuchmoredatawithoutdrasticallyincreasingyourstoragehardwareorchangingyourstorageprocesses.
Gateway-Storedvolumesprovideseamless,asynchronous,andsecurebackupofyouron-premisesstoragewithoutnewprocessesorhardware.
Gateway-VTLsenableyoutokeepyourcurrenttapebackupsoftwareandprocesseswhilestoringyourdatamorecost-effectivelyandsimplyonthecloud.
SecurityCloudsecurityatAWSisthehighestpriority.AWScustomersbenefitfromdatacentersandnetworkarchitecturesbuilttomeettherequirementsofthemostsecurity-sensitiveorganizations.
AnadvantageoftheAWScloudisthatitallowscustomerstoscaleandinnovatewhilemaintainingasecureenvironment.Cloudsecurityismuchlikesecurityinyouron-premisesdatacenters,onlywithoutthecostsofmaintainingfacilitiesandhardware.Inthecloud,youdon’thavetomanagephysicalserversorstoragedevices.Instead,youusesoftware-basedsecuritytoolstomonitorandprotecttheflowofinformationintoandofoutofyourcloudresources.
ThissectionwillfocusonfourAWSservicesthataredirectlyrelatedtothespecificsecuritypurposes:AWSDirectoryServiceforidentitymanagement,AWSKeyManagementService(KMS),AWSCloudHSMforkeymanagement,andAWSCloudTrailforauditing.
AWSDirectoryServiceAWSDirectoryServiceisamanagedserviceofferingthatprovidesdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.
OverviewYoucanchoosefromthreedirectorytypes:
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD
SimpleAD
ADConnector
Asamanagedoffering,AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.Thereisnoneedtobuildoutyourowncomplex,highly-availabledirectorytopologybecauseeachdirectoryisdeployedacrossmultipleAvailabilityZones,andmonitoringautomaticallydetectsandreplacesdomaincontrollersthatfail.Inaddition,datareplicationandautomateddailysnapshotsareconfiguredforyou.Thereisnosoftwaretoinstall,andAWShandlesallofthepatchingandsoftwareupdates.
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)isamanagedMicrosoftActiveDirectoryhostedontheAWScloud.ItprovidesmuchofthefunctionalityofferedbyMicrosoftActiveDirectoryplusintegrationwithAWSapplications.WiththeadditionalActiveDirectoryfunctionality,youcan,forexample,easilysetuptrustrelationshipswithyourexistingActiveDirectorydomainstoextendthosedirectoriestoAWScloudservices.
SimpleADSimpleADisaMicrosoftActiveDirectory-compatibledirectoryfromAWSDirectoryServicethatispoweredbySamba4.SimpleADsupportscommonlyusedActive
Directoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonEC2instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.ThismakesiteveneasiertomanageAmazonEC2instancesrunningLinuxandWindowsanddeployWindowsapplicationsontheAWScloud.
ManyoftheapplicationsandtoolsyouusetodaythatrequireMicrosoftActiveDirectorysupportcanbeusedwithSimpleAD.UseraccountsinSimpleADcanalsoaccessAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.TheycanalsouseAWSIAMrolestoaccesstheAWSManagementConsoleandmanageAWSresources.Finally,SimpleADprovidesdailyautomatedsnapshotstoenablepoint-in-timerecovery.
NotethatyoucannotsetuptrustrelationshipsbetweenSimpleADandotherActiveDirectorydomains.OtherfeaturesnotsupportedatthetimeofthiswritingbySimpleADincludeDNSdynamicupdate,schemaextensions,Multi-FactorAuthentication(MFA),communicationoverLightweightDirectoryAccessProtocol(LDAP),PowerShellADcmdlets,andthetransferofFlexibleSingle-MasterOperations(FSMO)roles.
ADConnectorADConnectorisaproxyserviceforconnectingyouron-premisesMicrosoftActiveDirectorytotheAWScloudwithoutrequiringcomplexdirectorysynchronizationorthecostandcomplexityofhostingafederationinfrastructure.
ADConnectorforwardssign-inrequeststoyourActiveDirectorydomaincontrollersforauthenticationandprovidestheabilityforapplicationstoquerythedirectoryfordata.Aftersetup,youruserscanusetheirexistingcorporatecredentialstologontoAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.WiththeproperIAMpermissions,theycanalsoaccesstheAWSManagementConsoleandmanageAWSresourcessuchasAmazonEC2instancesorAmazonS3buckets.YoucanalsouseADConnectortoenableMFAbyintegratingitwithyourexistingRemoteAuthenticationDial-UpService(RADIUS)-basedMFAinfrastructuretoprovideanadditionallayerofsecuritywhenusersaccessAWSapplications.
WithADConnector,youcontinuetomanageyourActiveDirectoryasusual.Forexample,addingnewusers,addingnewgroups,orupdatingpasswordsareallaccomplishedusingstandarddirectoryadministrationtoolswithyouron-premisesdirectory.Thus,inadditiontoprovidingastreamlinedexperienceforyourusers,ADConnectorenablesconsistentenforcementofyourexistingsecuritypolicies,suchaspasswordexpiration,passwordhistory,andaccountlockouts,whetherusersareaccessingresourceson-premisesorontheAWScloud.
UseCasesAWSDirectoryServiceprovidesmultiplewaystouseMicrosoftActiveDirectorywithotherAWScloudservices.Youcanchoosethedirectoryservicewiththefeaturesyouneedatacostthatfitsyourbudget.
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)ThisDirectoryServiceisyourbestchoiceifyouhavemorethan5,000usersandneedatrustrelationshipsetupbetweenanAWS-hosteddirectoryandyouron-premisesdirectories.
SimpleADInmostcases,SimpleADistheleastexpensiveoptionandyourbestchoiceif
youhave5,000orfewerusersanddon’tneedthemoreadvancedMicrosoftActiveDirectoryfeatures.
ADConnectorADConnectorisyourbestchoicewhenyouwanttouseyourexistingon-premisesdirectorywithAWScloudservices.
AWSKeyManagementService(KMS)andAWSCloudHSMKeymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.
OverviewAWSofferstwoservicesthatprovideyouwiththeabilitytomanageyourownsymmetricorasymmetriccryptographickeys:
AWSKMS:Aserviceenablingyoutogenerate,store,enable/disable,anddeletesymmetrickeys
AWSCloudHSM:AserviceprovidingyouwithsecurecryptographickeystoragebymakingHardwareSecurityModules(HSMs)availableontheAWScloud
AWSKeyManagementService(AWSKMS)AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.
ByusingAWSKMS,yougainmorecontroloveraccesstodatayouencrypt.YoucanusethekeymanagementandcryptographicfeaturesdirectlyinyourapplicationsorthroughAWScloudservicesthatareintegratedwithAWSKMS.WhetheryouarewritingapplicationsforAWSorusingAWScloudservices,AWSKMSenablesyoutomaintaincontroloverwhocanuseyourkeysandgainaccesstoyourencrypteddata.
CustomerManagedKeysAWSKMSusesatypeofkeycalledaCustomerMasterKey(CMK)toencryptanddecryptdata.CMKsarethefundamentalresourcesthatAWSKMSmanages.TheycanbeusedinsideofAWSKMStoencryptordecryptupto4KBofdatadirectly.Theycanalsobeusedtoencryptgenerateddatakeysthatarethenusedtoencryptordecryptlargeramountsofdataoutsideoftheservice.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscanleavetheserviceunencrypted.
DataKeysYouusedatakeystoencryptlargedataobjectswithinyourownapplicationoutsideAWSKMS.WhenyoucallGenerateDataKey,AWSKMSreturnsaplaintextversionofthekeyandciphertextthatcontainsthekeyencryptedunderthespecifiedCMK.AWSKMStrackswhichCMKwasusedtoencryptthedatakey.Youusetheplaintextdatakeyinyourapplicationtoencryptdata,andyoutypicallystoretheencryptedkeyalongsideyourencrypteddata.Securitybestpracticessuggestthatyoushouldremovetheplaintextkeyfrommemoryassoonasispracticalafteruse.Todecryptdatainyourapplication,passtheencrypteddatakeytotheDecryptfunction.AWSKMSusestheassociatedCMKtodecryptandretrieveyourplaintextdatakey.Usetheplaintextkeytodecryptyourdata,andthenremovethekeyfrommemory.
EnvelopeEncryptionAWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCMK,andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Thekeyshouldberemovedfrommemoryassoonasispracticalafteruse.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.
EncryptionContextAllAWSKMScryptographicoperationsacceptanoptionalkey/valuemapofadditionalcontextualinformationcalledanencryptioncontext.Thespecifiedcontextmustbethesameforboththeencryptanddecryptoperationsordecryptionwillnotsucceed.Theencryptioncontextislogged,canbeusedforadditionalauditing,andisavailableascontextintheAWSpolicylanguageforfine-grainedpolicy-basedauthorization.
AWSCloudHSMAWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.HSMsaredesignedtosecurelystorecryptographickeymaterialandusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.
TherecommendedconfigurationforusingAWSCloudHSMistousetwoHSMsconfiguredinahigh-availabilityconfiguration,asillustratedinFigure11.2.
FIGURE11.2HighavailabilityCloudHSMarchitecture
AWSCloudHSMallowsyoutoprotectyourencryptionkeyswithinHSMsthataredesignedandvalidatedtogovernmentstandardsforsecurekeymanagement.Youcansecurelygenerate,store,andmanagethecryptographickeysusedfordataencryptioninawaythatensuresthatonlyyouhaveaccesstothekeys.AWSCloudHSMhelpsyoucomplywithstrictkeymanagementrequirementswithintheAWScloudwithoutsacrificingapplicationperformance.
UseCasesTheAWSkeymanagementservicesaddressseveralsecurityneedsthatwouldrequireextensiveefforttodeployandmanageotherwise,including,butnotlimitedto:
ScalableSymmetricKeyDistributionSymmetricencryptionalgorithmsrequirethatthesamekeybeusedforbothencryptinganddecryptingthedata.Thisisproblematicbecausetransferringthekeyfromthesendertothereceivermustbedoneeitherthroughaknownsecurechannelorsome“outofband”process.
Government-ValidatedCryptographyCertaintypesofdata(forexample,PaymentCardIndustry—PCI—orhealthinformationrecords)mustbeprotectedwithcryptographythathasbeenvalidatedbyanoutsidepartyasconformingtothealgorithm(s)assertedbytheclaimingparty.
AWSCloudTrailAWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
Overview
AWSCloudTrailcapturesAWSAPIcallsandrelatedeventsmadebyoronbehalfofanAWSaccountanddeliverslogfilestoanAmazonS3bucketthatyouspecify.Optionally,youcanconfigureAWSCloudTrailtodelivereventstoaloggroupmonitoredbyAmazonCloudWatchLogs.YoucanalsochoosetoreceiveAmazonSimpleNotificationService(AmazonSNS)notificationseachtimealogfileisdeliveredtoyourbucket.YoucancreateatrailwiththeAWSCloudTrailconsole,theAWSCommandLineInterface(CLI),ortheAWSCloudTrailAPI.AtrailisaconfigurationthatenablesloggingoftheAWSAPIactivityandrelatedeventsinyouraccount.
Youcancreatetwotypesoftrails:
ATrailThatAppliestoAllRegionsWhenyoucreateatrailthatappliestoallAWSregions,AWSCloudTrailcreatesthesametrailineachregion,recordsthelogfilesineachregion,anddeliversthelogfilestothesingleAmazonS3bucket(andoptionallytotheAmazonCloudWatchLogsloggroup)thatyouspecify.ThisisthedefaultoptionwhenyoucreateatrailusingtheAWSCloudTrailconsole.IfyouchoosetoreceiveAmazonSNSnotificationsforlogfiledeliveries,oneAmazonSNStopicwillsufficeforallregions.IfyouchoosetohaveAWSCloudTrailsendeventsfromatrailthatappliestoallregionstoanAmazonCloudWatchLogsloggroup,eventsfromallregionswillbesenttothesingleloggroup.
ATrailThatAppliestoOneRegionYouspecifyabucketthatreceiveseventsonlyfromthatregion.Thebucketcanbeinanyregionthatyouspecify.Ifyoucreateadditionalindividualtrailsthatapplytospecificregions,youcanhavethosetrailsdelivereventlogstoasingleAmazonS3bucket.
Bydefault,yourlogfilesareencryptedusingAmazonS3SSE.Youcanstoreyourlogfilesinyourbucketforaslongasyouwant,butyoucanalsodefineAmazonS3lifecyclerulestoarchiveordeletelogfilesautomatically.
AWSCloudTrailtypicallydeliverslogfileswithin15minutesofanAPIcall.Inaddition,theservicepublishesnewlogfilesmultipletimesanhour,usuallyabouteveryfiveminutes.TheselogfilescontainAPIcallsfromalloftheaccount’sservicesthatsupportAWSCloudTrail.
EnableAWSCloudTrailonallofyourAWSaccounts.Insteadofconfiguringatrailforoneregion,youshouldenabletrailsforallregions.
UseCasesAWSCloudTrailisbeneficialforseveralusecases:
ExternalComplianceAuditsYourbusinessmustdemonstratecompliancetoasetofregulationspertinenttosomeoralldatabeingtransmitted,processed,andstoredwithinyourAWSaccounts.EventsfromAWSCloudTrailcanbeusedtoshowthedegreetowhichyouarecompliantwiththeregulations.
UnauthorizedAccesstoYourAWSAccountAWSCloudTrailrecordsallsign-onattemptstoyourAWSaccount,includingAWSManagementConsoleloginattempts,AWS
SoftwareDevelopmentKit(SDK)APIcalls,andAWSCLIAPIcalls.RoutineexaminationofAWSCloudTraileventswillprovidetheneededinformationtodetermineifyourAWSaccountisbeingtargetedforunauthorizedaccess.
AnalyticsAnalytics,andtheassociatedbigdatathatitrequires,presentsauniquelistofchallengestoaSolutionsArchitect.Thebigdatamustbeingestedataveryhighrate,storedinveryhighvolume,andprocessedwithatremendousamountofcompute.Often,theneedtoperformanalyticsonthebigdataissporadic,withagreatdealofcomputeinfrastructureneededregularlyforverysmalltimeperiods.Thecloud,withitseasyaccesstocomputeandnearlylimitlessstoragecapacity,isideallysuitedtoaddresstheseanalyticschallenges.ThissectioncoversseveralAWScloudservicesthatwillhelpyouaddressanalyticsandbigdataissuesontheexam.
AmazonKinesisAmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.
OverviewAmazonKinesisisastreamingdataplatformconsistingofthreeservicesaddressingdifferentreal-timestreamingdatachallenges:
AmazonKinesisFirehose:AserviceenablingyoutoloadmassivevolumesofstreamingdataintoAWS
AmazonKinesisStreams:Aserviceenablingyoutobuildcustomapplicationsformorecomplexanalysisofstreamingdatainrealtime
AmazonKinesisAnalytics:AserviceenablingyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL
Eachoftheseservicescanscaletohandlevirtuallylimitlessdatastreams.
AmazonKinesisFirehoseAmazonKinesisFirehosereceivesstreamdataandstoresitinAmazonS3,AmazonRedshift,orAmazonElasticsearch.Youdonotneedtowriteanycode;justcreateadeliverystreamandconfigurethedestinationforyourdata.ClientswritedatatothestreamusinganAWSAPIcallandthedataisautomaticallysenttotheproperdestination.ThevariousdestinationoptionsareshowninFigure11.3.
FIGURE11.3AmazonKinesisFirehose
WhenconfiguredtosaveastreamtoAmazonS3,AmazonKinesisFirehosesendsthedatadirectlytoAmazonS3.ForanAmazonRedshiftdestination,thedataisfirstwrittentoAmazonS3,andthenanAmazonRedshiftCOPYcommandisexecutedtoloadthedataintoAmazonRedshift.AmazonKinesisFirehosecanalsowritedataouttoAmazonElasticsearch,withtheoptiontobackthedataupconcurrentlytoAmazonS3.
AmazonKinesisStreamsAmazonKinesisStreamsenableyoutocollectandprocesslargestreamsofdatarecordsinrealtime.UsingAWSSDKs,youcancreateanAmazonKinesisStreamsapplicationthatprocessesthedataasitmovesthroughthestream.Becauseresponsetimefordataintakeandprocessingisinnearrealtime,theprocessingistypicallylightweight.AmazonKinesisStreamscanscaletosupportnearlylimitlessdatastreamsbydistributingincomingdataacrossanumberofshards.Ifanyshardbecomestoobusy,itcanbefurtherdividedintomoreshardstodistributetheloadfurther.Theprocessingisthenexecutedonconsumers,whichreaddatafromtheshardsandruntheAmazonKinesisStreamsapplication.ThisarchitectureisshowninFigure11.4.
FIGURE11.4AmazonKinesisStreams
AmazonKinesisAnalyticsAtthetimeofthiswriting,AmazonKinesisAnalyticshasbeenannouncedbutnotyetreleased.
UseCasesTheAmazonKinesisservicessupportmanystrategicworkloadsthatwouldotherwiserequireextensiveefforttodeployandmanage,including,butnotlimitedto:
DataIngestionThefirstchallengewithahugestreamofdataisacceptingitreliably.Whetheritisuserdatafromhighlytraffickedwebsites,inputdatafromthousandsofmonitoringdevices,oranyothersourcesofhugestreams,AmazonKinesisFirehoseisanexcellentchoicetoensurethatallofyourdataissuccessfullystoredinyourAWSinfrastructure.
Real-TimeProcessingofMassiveDataStreamsCompaniesoftenneedtoactonknowledgegleanedfromabigdatastreamrightaway,whethertofeedadashboardapplication,alteradvertisingstrategiesbasedonsocialmediatrends,allocateassetsbasedonreal-timesituations,orahostofotherscenarios.AmazonKinesisStreamsenablesyoutogatherthisknowledgefromthedatainyourstreamonareal-timebasis.
It’sgoodtorememberthatwhileAmazonKinesisisideallysuitedforingestingandprocessingstreamsofdata,itislessappropriateforbatchjobssuchasnightlyExtract,Transform,Load(ETL)processes.Forthosetypesofworkloads,considerAWSDataPipeline,whichisdescribedlaterinthischapter.
AmazonElasticMapReduce(AmazonEMR)AmazonElasticMapReduce(AmazonEMR)providesyouwithafullymanaged,on-demandHadoopframework.AmazonEMRreducesthecomplexityandup-frontcostsofsettingupHadoopand,combinedwiththescaleofAWS,givesyoutheabilitytospinuplargeHadoopclustersinstantlyandstartprocessingwithinminutes.
OverviewWhenyoulaunchanAmazonEMRcluster,youspecifyseveraloptions,themostimportantbeing:
Theinstancetypeofthenodesinyourcluster
Thenumberofnodesinyourcluster
TheversionofHadoopyouwanttorun(AmazonEMRsupportsseveralrecentversionsofApacheHadoop,andalsoseveralversionsofMapRHadoop.)
AdditionaltoolsorapplicationslikeHive,Pig,Spark,orPresto
TherearetwotypesofstoragethatcanbeusedwithAmazonEMR:
HadoopDistributedFileSystem(HDFS)HDFSisthestandardfilesystemthatcomeswithHadoop.Alldataisreplicatedacrossmultipleinstancestoensuredurability.AmazonEMRcanuseAmazonEC2instancestorageorAmazonEBSforHDFS.Whenaclusterisshutdown,instancestorageislostandthedatadoesnotpersist.HDFScanalsomakeuseofAmazonEBSstorage,tradinginthecosteffectivenessofinstancestoragefortheabilitytoshutdownaclusterwithoutlosingdata.
EMRFileSystem(EMRFS)EMRFSisanimplementationofHDFSthatallowsclusterstostoredataonAmazonS3.EMRFSallowsyoutogetthedurabilityandlowcostofAmazonS3whilepreservingyourdataeveniftheclusterisshutdown.
Akeyfactordrivingthetypeofstorageaclusterusesiswhethertheclusterispersistentortransient.Apersistentclustercontinuestorun24×7afteritislaunched.Persistentclustersareappropriatewhencontinuousanalysisisgoingtoberunonthedata.Forpersistentclusters,HDFSisacommonchoice.PersistentclusterstakeadvantageofthelowlatencyofHDFS,especiallyoninstancestorage,whenconstantoperationmeansnodatalostwhenshuttingdownacluster.Inothersituations,bigdataworkloadsarefrequentlyruninconsistently,anditcanbecost-effectivetoturntheclusteroffwhennotinuse.Clustersthatarestartedwhenneededandthenimmediatelystoppedwhendonearecalledtransientclusters.EMRFSiswellsuitedfortransientclusters,asthedatapersistsindependentofthelifetimeofthecluster.YoucanalsochoosetouseacombinationoflocalHDFSandEMRFStomeetyourworkloadneeds.
BecauseAmazonEMRisaninstanceofApacheHadoop,youcanusetheextensiveecosystemoftoolsthatworkontopofHadoop,suchasHive,Pig,andSpark.Manyofthesetoolsarenativelysupportedandcanbeincludedautomaticallywhenyoulaunchyourcluster,whileotherscanbeinstalledthroughbootstrapactions.
UseCasesAmazonEMRiswellsuitedforalargenumberofusecases,including,butnotlimitedto:
LogProcessingAmazonEMRcanbeusedtoprocesslogsgeneratedbywebandmobileapplications.AmazonEMRhelpscustomersturnpetabytesofunstructuredorsemi-structureddataintousefulinsightsabouttheirapplicationsorusers.
ClickstreamAnalysisAmazonEMRcanbeusedtoanalyzeclickstreamdatainordertosegmentusersandunderstanduserpreferences.Advertiserscanalsoanalyzeclickstreams
andadvertisingimpressionlogstodelivermoreeffectiveads.
GenomicsandLifeSciencesAmazonEMRcanbeusedtoprocessvastamountsofgenomicdataandotherlargescientificdatasetsquicklyandefficiently.Processesthatrequireyearsofcomputecanbecompletedinadaywhenscaledacrosslargeclusters.
AWSDataPipelineAWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonEMR.
OverviewEverythinginAWSDataPipelinestartswiththepipelineitself.Apipelineschedulesandrunstasksaccordingtothepipelinedefinition.Theschedulingisflexibleandcanrunevery15minutes,everyday,everyweek,andsoforth.
Thepipelineinteractswithdatastoredindatanodes.Datanodesarelocationswherethepipelinereadsinputdataorwritesoutputdata,suchasAmazonS3,aMySQLdatabase,oranAmazonRedshiftcluster.DatanodescanbeonAWSoronyourpremises.
Thepipelinewillexecuteactivitiesthatrepresentcommonscenarios,suchasmovingdatafromonelocationtoanother,runningHivequeries,andsoforth.Activitiesmayrequireadditionalresourcestorun,suchasanAmazonEMRclusteroranAmazonEC2instance.Inthesesituations,AWSDataPipelinewillautomaticallylaunchtherequiredresourcesandtearthemdownwhentheactivityiscompleted.
Distributeddataflowsoftenhavedependencies;justbecauseanactivityisscheduledtorundoesnotmeanthatthereisdatawaitingtobeprocessed.Forsituationslikethis,AWSDataPipelinesupportspreconditions,whichareconditionalstatementsthatmustbetruebeforeanactivitycanrun.TheseincludescenariossuchaswhetheranAmazonS3keyispresent,whetheranAmazonDynamoDBtablecontainsanydata,andsoforth.
Ifanactivityfails,retryisautomatic.Theactivitywillcontinuetoretryuptothelimityouconfigure.Youcandefineactionstotakeintheeventwhentheactivityreachesthatlimitwithoutsucceeding.
UseCasesAWSDataPipelinecanbeusedforvirtuallyanybatchmodeETLprocess.AsimpleexampleisshowninFigure11.5.
FIGURE11.5Examplepipeline
ThepipelineinFigure11.5isperformingthefollowingworkflow:
Everyhouranactivitybeginstoextractlogdatafromon-premisesstoragetoAmazonS3.Apreconditionchecksthatthereisdatatobetransferredbeforeactuallystartingtheactivity.
ThenextactivitylaunchesatransientAmazonEMRclusterthatusestheextracteddatasetasinput,validatesandtransformsit,andthenoutputsthedatatoanAmazonS3bucket.
ThefinalactivitymovesthetransformeddatafromAmazonS3toAmazonRedshiftviaanAmazonRedshiftCOPYcommand.
AWSDataPipelineisbestforregularbatchprocessesinsteadofforcontinuousdatastreams;useAmazonKinesisfordatastreams.
AWSImport/ExportOnekeychallengeofbigdataontheAWScloudisgettinghugedatasetstothecloudinthefirstplace,orretrievingthembacktoon-premiseswhennecessary.Regardlessofhowmuchbandwidthyouconfigureoutofyourdatacenter,therearetimeswhenthereismoredatatotransferthancanmoveovertheconnectioninareasonableperiodoftime.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource(yourdatacenteroranAWSregion),shippedviastandardshippingmechanisms,andthencopiedtothedestination(yourdatacenteroranAWSregion).
OverviewAWSImport/ExporthastwofeaturesthatsupportshippingdataintoandoutofyourAWSinfrastructure:AWSImport/ExportSnowball(AWSSnowball)andAWSImport/ExportDisk.
AWSSnowballAWSSnowballusesAmazon-providedshippablestorageappliancesshipped
throughUPS.EachAWSSnowballisprotectedbyAWSKMSandmadephysicallyruggedtosecureandprotectyourdatawhilethedeviceisintransit.Atthetimeofthiswriting,AWSSnowballscomeintwosizes:50TBand80TB,andtheavailabilityofeachvariesbyregion.
AWSSnowballprovidesthefollowingfeatures:
Youcanimportandexportdatabetweenyouron-premisesdatastoragelocationsandAmazonS3.
Encryptionisenforced,protectingyourdataatrestandinphysicaltransit.
Youdon’thavetobuyormaintainyourownhardwaredevices.
YoucanmanageyourjobsthroughtheAWSSnowballconsole.
TheAWSSnowballisitsownshippingcontainer,andtheshippinglabelisanEInkdisplaythatautomaticallyshowsthecorrectaddresswhentheAWSSnowballisreadytoship.YoucandropitoffwithUPS,noboxrequired.
WithAWSSnowball,youcanimportorexportterabytesorevenpetabytesofdata.
AWSImport/ExportDiskAWSImport/ExportDisksupportstransfersdatadirectlyontoandoffofstoragedevicesyouownusingtheAmazonhigh-speedinternalnetwork.
ImportantthingstounderstandaboutAWSImport/ExportDiskinclude:
YoucanimportyourdataintoAmazonGlacierandAmazonEBS,inadditiontoAmazonS3.
YoucanexportdatafromAmazonS3.
Encryptionisoptionalandnotenforced.
Youbuyandmaintainyourownhardwaredevices.
Youcan’tmanageyourjobsthroughtheAWSSnowballconsole.
UnlikeAWSSnowball,AWSImport/ExportDiskhasanupperlimitof16TB.
UseCasesAWSImport/ExportcanbeusedforjustaboutanysituationwhereyouhavemoredatatomovethanyoucangetthroughyourInternetconnectioninareasonabletime,including,butnotlimitedto:
StorageMigrationWhencompaniesshutdownadatacenter,theyoftenneedtomovemassiveamountsofstoragetoanotherlocation.AWSImport/Exportisasuitabletechnologyforthisrequirement.
MigratingApplicationsMigratinganapplicationtothecloudofteninvolvesmovinghugeamountsofdata.ThiscanbeacceleratedusingAWSImport/Export.
DevOpsAsorganizationscreatedincreasinglycomplexsoftwareapplications,ITdevelopmentteamsevolvedtheirsoftwarecreationpracticesformoreflexibility,movingfromwaterfallmodelstoagileorleandevelopmentpractices.Thischangealsopropagatedtooperationsteams,whichblurredthelinesbetweentraditionaldevelopmentandoperationsteams.AWSprovidesaflexibleenvironmentthatfacilitatedthesuccessesoforganizationslikeNetflix,Airbnb,GeneralElectric,andmanyothersthatembracedDevOps.ThissectionreviewselementsofAWScloudservicesthatsupportDevOpspractices.
AWSOpsWorksAWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorkswillworkwithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponent,includingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.
AWSOpsWorkssupportsbothLinuxorWindowsservers,includingexistingAmazonEC2instancesorserversrunninginyourowndatacenter.Thisallowsorganizationstouseasingleconfigurationmanagementservicetodeployandoperateapplicationsacrosshybridarchitectures.
OverviewManysolutionsonAWSusuallyinvolvegroupsofresources,suchasAmazonEC2instancesandAmazonRDSinstances,whichmustbecreatedandmanagedcollectively.Forexample,thesearchitecturestypicallyrequireapplicationservers,databaseservers,loadbalancers,andsoon.Thisgroupofresourcesistypicallycalledastack.AsimpleapplicationserverstackmightbearrangedsomethinglikeinFigure11.6.
FIGURE11.6Simpleapplicationserverstack
Inadditiontocreatingtheinstancesandinstallingthenecessarypackages,youtypicallyneedawaytodistributeapplicationstotheapplicationservers,monitorthestack’sperformance,managesecurityandpermissions,andsoon.AWSOpsWorksprovidesasimpleandflexiblewaytocreateandmanagestacksandapplications.Figure11.7depictshowasimpleapplicationserverstackmightlookwithAWSOpsWorks.Althoughrelativelysimple,thisstackshowsthekeyAWSOpsWorksfeatures.
FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks
ThestackisthecoreAWSOpsWorkscomponent.ItisbasicallyacontainerforAWSresources—AmazonEC2instances,AmazonRDSdatabaseinstances,andsoon—thathaveacommonpurposeandmakesensetobelogicallymanagedtogether.Thestackhelpsyoumanagetheseresourcesasagroupanddefinessomedefaultconfigurationsettings,suchastheAmazonEC2instances’operatingsystemandAWSregion.Ifyouwanttoisolatesomestackcomponentsfromdirectuserinteraction,youcanrunthestackinanAmazonVirtualPrivateCloud(AmazonVPC).Eachstackletsyougrantuserspermissiontoaccessthestackandspecifywhatactionstheycantake.
YoucanuseAWSOpsWorksorIAMtomanageuserpermissions.Notethatthetwooptionsarenotmutuallyexclusive;itissometimesdesirabletouseboth.
Youdefinetheelementsofastackbyaddingoneormorelayers.Alayerrepresentsasetofresourcesthatserveaparticularpurpose,suchasloadbalancing,webapplications,orhostingadatabaseserver.YoucancustomizeorextendlayersbymodifyingthedefaultconfigurationsoraddingChefrecipestoperformtaskssuchasinstallingadditionalpackages.Layersgiveyoucompletecontroloverwhichpackagesareinstalled,howtheyareconfigured,howapplicationsaredeployed,andmore.
LayersdependonChefrecipestohandletaskssuchasinstallingpackagesoninstances,
deployingapplications,andrunningscripts.OneofthekeyAWSOpsWorksfeaturesisasetoflifecycleeventsthatautomaticallyrunaspecifiedsetofrecipesattheappropriatetimeoneachinstance.
Aninstancerepresentsasinglecomputingresource,suchasanAmazonEC2instance.Itdefinestheresource’sbasicconfiguration,suchasoperatingsystemandsize.Otherconfigurationsettings,suchasElasticIPaddressesorAmazonEBSvolumes,aredefinedbytheinstance’slayers.Thelayer’srecipescompletetheconfigurationbyperformingtasks,suchasinstallingandconfiguringpackagesanddeployingapplications.
Youstoreapplicationsandrelatedfilesinarepository,suchasanAmazonS3bucketorGitrepo.Eachapplicationisrepresentedbyanapp,whichspecifiestheapplicationtypeandcontainstheinformationthatisneededtodeploytheapplicationfromtherepositorytoyourinstances,suchastherepositoryURLandpassword.Whenyoudeployanapp,AWSOpsWorkstriggersaDeployevent,whichrunstheDeployrecipesonthestack’sinstances.
Usingtheconceptsofstacks,layers,andapps,youcanmodelandvisualizeyourapplicationandresourcesinanorganizedfashion.
Finally,AWSOpsWorkssendsallofyourresourcemetricstoAmazonCloudWatch,makingiteasytoviewgraphsandsetalarmstohelpyoutroubleshootandtakeautomatedactionbasedonthestateofyourresources.AWSOpsWorksprovidesmanycustommetrics,suchasCPUidle,memorytotal,averageloadforoneminute,andmore.Eachinstanceinthestackhasdetailedmonitoringtoprovideinsightsintoyourworkload.
UseCasesAWSOpsWorkssupportsmanyDevOpsefforts,including,butnotlimitedto:
HostMulti-TierWebApplicationsAWSOpsWorksletsyoumodelandvisualizeyourapplicationwithlayersthatdefinehowtoconfigureasetofresourcesthataremanagedtogether.BecauseAWSOpsWorksusestheChefframework,youcanbringyourownrecipesorleveragehundredsofcommunity-builtconfigurations.
SupportContinuousIntegrationAWSOpsWorkssupportsDevOpsprinciples,suchascontinuousintegration.Everythinginyourenvironmentcanbeautomated.
AWSCloudFormationAWSCloudFormationisaservicethathelpsyoumodelandsetupyourAWSresourcessothatyoucanspendlesstimemanagingthoseresourcesandmoretimefocusingonyourapplicationsthatruninAWS.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.
OverviewAWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderly
andpredictablefashion.WhenyouuseAWSCloudFormation,youworkwithtemplatesandstacks.
YoucreateAWSCloudFormationtemplatestodefineyourAWSresourcesandtheirproperties.AtemplateisatextfilewhoseformatcomplieswiththeJSONstandard.AWSCloudFormationusesthesetemplatesasblueprintsforbuildingyourAWSresources.
WhenyouuseAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonce,andthenprovisionthesameresourcesoverandoverinmultipleregions.
WhenyouuseAWSCloudFormation,youmanagerelatedresourcesasasingleunitcalledastack.Youcreate,update,anddeleteacollectionofresourcesbycreating,updating,anddeletingstacks.Alloftheresourcesinastackaredefinedbythestack’sAWSCloudFormationtemplate.SupposeyoucreatedatemplatethatincludesanAutoScalinggroup,ElasticLoadBalancingloadbalancer,andanAmazonRDSdatabaseinstance.Tocreatethoseresources,youcreateastackbysubmittingyourtemplatethatdefinesthoseresources,andAWSCloudFormationhandlesalloftheprovisioningforyou.Afteralloftheresourceshavebeencreated,AWSCloudFormationreportsthatyourstackhasbeencreated.Youcanthenstartusingtheresourcesinyourstack.Ifstackcreationfails,AWSCloudFormationrollsbackyourchangesbydeletingtheresourcesthatitcreated.
Oftenyouwillneedtolaunchstacksfromthesametemplate,butwithminorvariations,suchaswithinadifferentAmazonVPCorusingAMIsfromadifferentregion.Thesevariationscanbeaddressedusingparameters.Youcanuseparameterstocustomizeaspectsofyourtemplateatruntime,whenthestackisbuilt.Forexample,youcanpasstheAmazonRDSdatabasesize,AmazonEC2instancetypes,database,andwebserverportnumberstoAWSCloudFormationwhenyoucreateastack.Byleveragingtemplateparameters,youcanuseasingletemplateformanyinfrastructuredeploymentswithdifferentconfigurationvalues.Forexample,yourAmazonEC2instancetypes,AmazonCloudWatchalarmthresholds,andAmazonRDSread-replicasettingsmaydifferamongAWSregionsifyoureceivemorecustomertrafficintheUnitedStatesthaninEurope.Youcanusetemplateparameterstotunethesettingsandthresholdsineachregionseparatelyandstillbesurethattheapplicationisdeployedconsistentlyacrosstheregions.
Figure11.8depictstheAWSCloudFormationworkflowforcreatingstacks.
FIGURE11.8Creatingastackworkflow
Becauseenvironmentsaredynamicinnature,youinevitablywillneedtoupdateyourstack’sresourcesfromtimetotime.Thereisnoneedtocreateanewstackanddeletetheoldone;youcansimplymodifytheexistingstack’stemplate.Toupdateastack,createachangesetbysubmittingamodifiedversionoftheoriginalstacktemplate,differentinputparametervalues,orboth.AWSCloudFormationcomparesthemodifiedtemplatewiththeoriginaltemplateandgeneratesachangeset.Thechangesetliststheproposedchanges.Afterreviewingthechanges,youcanexecutethechangesettoupdateyourstack.Figure11.9depictstheworkflowforupdatingastack.
FIGURE11.9Updatingastackworkflow
Whenthetimecomesandyouneedtodeleteastack,AWSCloudFormationdeletesthestackandalloftheresourcesinthatstack.
Ifyouwanttodeleteastackbutstillretainsomeresourcesinthatstack,youcanuseadeletionpolicytoretainthoseresources.Ifaresourcehasnodeletionpolicy,AWSCloudFormationdeletestheresourcebydefault.
Afteralloftheresourceshavebeendeleted,AWSCloudFormationsignalsthatyourstackhasbeensuccessfullydeleted.IfAWSCloudFormationcannotdeletearesource,thestackwillnotbedeleted.Anyresourcesthathaven’tbeendeletedwillremainuntilyoucansuccessfullydeletethestack.
UseCaseByallowingyoutoreplicateyourentireinfrastructurestackeasilyandquickly,AWSCloudFormationenablesavarietyofusecases,including,butnotlimitedto:
QuicklyLaunchNewTestEnvironmentsAWSCloudFormationletstestingteamsquicklycreateacleanenvironmenttoruntestswithoutdisturbingongoingeffortsinotherenvironments.
ReliablyReplicateConfigurationBetweenEnvironmentsBecauseAWSCloudFormationscriptstheentireenvironment,humanerroriseliminatedwhencreatingnewstacks.
LaunchApplicationsinNewAWSRegionsAsinglescriptcanbeusedacrossmultipleregionstolaunchstacksreliablyindifferentmarkets.
AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
OverviewAWScomprisesdozensofbuildingblockservices,eachofwhichexposesanareaoffunctionality.WhilethevarietyofservicesoffersflexibilityforhoworganizationswanttomanagetheirAWSinfrastructure,itcanbechallengingtofigureoutwhichservicestouseandhowtoprovisionthem.WithAWSElasticBeanstalk,youcanquicklydeployandmanageapplicationsontheAWScloudwithoutworryingabouttheinfrastructurethatrunsthoseapplications.AWSElasticBeanstalkreducesmanagementcomplexitywithoutrestrictingchoiceorcontrol.
TherearekeycomponentsthatcompriseAWSElasticBeanstalkandworktogethertoprovidethenecessaryservicestodeployandmanageapplicationseasilyinthecloud.AnAWSElasticBeanstalkapplicationisthelogicalcollectionoftheseAWSElasticBeanstalkcomponents,whichincludesenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.
Anapplicationversionreferstoaspecific,labelediterationofdeployablecodeforawebapplication.AnapplicationversionpointstoanAmazonS3objectthatcontainsthedeployablecode.Applicationscanhavemanyversionsandeachapplicationversionisunique.Inarunningenvironment,organizationscandeployanyapplicationversiontheyalreadyuploadedtotheapplication,ortheycanuploadandimmediatelydeployanewapplicationversion.Organizationsmightuploadmultipleapplicationversionstotestdifferencesbetweenoneversionoftheirwebapplicationandanother.
AnenvironmentisanapplicationversionthatisdeployedontoAWSresources.Eachenvironmentrunsonlyasingleapplicationversionatatime;however,thesameversionordifferentversionscanruninasmanyenvironmentsatthesametimeasneeded.Whenanenvironmentiscreated,AWSElasticBeanstalkprovisionstheresourcesneededtoruntheapplicationversionthatisspecified.
Anenvironmentconfigurationidentifiesacollectionofparametersandsettingsthatdefinehowanenvironmentanditsassociatedresourcesbehave.Whenanenvironment’sconfigurationsettingsareupdated,AWSElasticBeanstalkautomaticallyappliesthechangestoexistingresourcesordeletesanddeploysnewresourcesdependingonthetypeofchange.
WhenanAWSElasticBeanstalkenvironmentislaunched,theenvironmenttier,platform,andenvironmenttypearespecified.TheenvironmenttierthatischosendetermineswhetherAWSElasticBeanstalkprovisionsresourcestosupportawebapplicationthathandlesHTTP(S)requestsoranapplicationthathandlesbackground-processingtasks.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Anenvironmenttierwhoseapplicationrunsbackgroundjobsisknownasaworkertier.
Atthetimeofthiswriting,AWSElasticBeanstalkprovidesplatformsupportfortheprogramminglanguagesJava,Node.js,PHP,Python,Ruby,andGowithsupportforthewebcontainersTomcat,Passenger,Puma,andDocker.
UseCasesAcompanyprovidesawebsiteforprospectivehomebuyers,sellers,andrenterstobrowsehomeandapartmentlistingsformorethan110millionhomes.Thewebsiteprocessesmorethanthreemillionnewimagesdaily.Itreceivesmorethan17,000imagerequestspersecondonitswebsiteduringpeaktrafficfrombothdesktopandmobileclients.
Thecompanywaslookingforwaystobemoreagilewithdeploymentsandempoweritsdeveloperstofocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks.ItbeganusingAWSElasticBeanstalkastheservicefordeployingandscalingthewebapplicationsandservices.DeveloperswereempoweredtouploadcodetoAWSElasticBeanstalk,whichthenautomaticallyhandledthedeployment,fromcapacityprovisioning,loadbalancing,andAutoScaling,toapplicationhealthmonitoring.
Becausethecompanyingestsdatainahaphazardway,runningfeedsthatdumpatonofworkintotheimageprocessingsystemallatonce,itneedstoscaleupitsimageconverterfleettomeetpeakdemand.ThecompanydeterminedthatanAWSElasticBeanstalkworkerfleettorunaPythonImagingLibrarywithcustomcodewasthesimplestwaytomeettherequirement.Thiseliminatedtheneedtohaveanumberofstaticinstancesor,worse,tryingtowritetheirownAutoScalingconfiguration.
BymakingthemovetoAWSElasticBeanstalk,thecompanywasabletoreduceoperatingcostswhileincreasingagilityandscalabilityforitsimageprocessinganddeliverysystem.
KeyFeaturesAWSElasticBeanstalkprovidesseveralmanagementfeaturesthateasedeploymentandmanagementofapplicationsonAWS.Organizationshaveaccesstobuilt-inAmazonCloudWatchmonitoringmetricssuchasaverageCPUutilization,requestcount,andaverage
latency.TheycanreceiveemailnotificationsthroughAmazonSNSwhenapplicationhealthchangesorapplicationserversareaddedorremoved.Serverlogsfortheapplicationserverscanbeaccessedwithoutneedingtologin.OrganizationscanevenelecttohaveupdatesappliedautomaticallytotheunderlyingplatformrunningtheapplicationsuchastheAMI,operatingsystem,languageandframework,andapplicationorproxyserver.
Additionally,developersretainfullcontrolovertheAWSresourcespoweringtheirapplicationandcanperformavarietyoffunctionsbysimplyadjustingtheconfigurationsettings.Theseincludesettingssuchas:
SelectingthemostappropriateAmazonEC2instancetypethatmatchestheCPUandmemoryrequirementsoftheirapplication
ChoosingtherightdatabaseandstorageoptionssuchasAmazonRDS,AmazonDynamoDB,MicrosoftSQLServer,andOracle
EnablingloginaccesstoAmazonEC2instancesforimmediateanddirecttroubleshooting
EnhancingapplicationsecuritybyenablingHTTPSprotocolontheloadbalancer
Adjustingapplicationserversettings(forexample,JVMsettings)andpassingenvironmentvariables
AdjustAutoScalingsettingstocontrolthemetricsandthresholdsusedtodeterminewhentoaddorremoveinstancesfromanenvironment
WithAWSElasticBeanstalk,organizationscandeployanapplicationquicklywhileretainingasmuchcontrolastheywanttohaveovertheunderlyinginfrastructure.
AWSTrustedAdvisorAWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservingoveramillionAWScustomers.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.YoucanviewtheoverallstatusofyourAWSresourcesandsavingsestimationsontheAWSTrustedAdvisordashboard.
AWSTrustedAdvisorisaccessedintheAWSManagementConsole.Additionally,programmaticaccesstoAWSTrustedAdvisorisavailablewiththeAWSSupportAPI.
AWSTrustedAdvisorprovidesbestpracticesinfourcategories:costoptimization,security,faulttolerance,andperformanceimprovement.Thestatusofthecheckisshownbyusingcolorcodingonthedashboardpage,asdepictedinFigure11.10.
FIGURE11.10AWSTrustedAdvisorConsoledashboard
Thecolorcodingreflectsthefollowinginformation:
Red:Actionrecommended
Yellow:Investigationrecommended
Green:Noproblemdetected
Foreachcheck,youcanreviewadetaileddescriptionoftherecommendedbestpractice,asetofalertcriteria,guidelinesforaction,andalistofusefulresourcesonthetopic.
AllAWScustomershaveaccesstofourAWSTrustedAdvisorchecksatnocost.ThefourstandardAWSTrustedAdvisorchecksare:
ServiceLimitsChecksforusagethatismorethan80percentoftheservicelimit.Thesevaluesarebasedonasnapshot,socurrentusagemightdifferandcantakeupto24hourstoreflectchanges.
SecurityGroups–SpecificPortsUnrestrictedCheckssecuritygroupsforrulesthatallowunrestrictedaccess(0.0.0.0/0)tospecificports
IAMUseChecksforyouruseofAWSIAM
MFAonRootAccountCheckstherootaccountandwarnsifMFAisnotenabled
CustomerswithaBusinessorEnterpriseAWSSupportplancanviewallAWSTrustedAdvisorchecks—over50checks.
TheremaybeoccasionswhenaparticularcheckisnotrelevanttosomeresourcesinyourAWSenvironment.Youhavetheabilitytoexcludeitemsfromacheckandoptionallyrestorethemlateratanytime.AWSTrustedAdvisoractslikeacustomizedcloudexpert,andithelpsorganizationsprovisiontheirresourcesbyfollowingbestpracticeswhileidentifyinginefficiencies,waste,potentialcostsavings,andsecurityissues.
AWSConfigAWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
OverviewAWSConfigprovidesadetailedviewoftheconfigurationofAWSresourcesinyourAWSaccount.Thisincludeshowtheresourcesarerelatedandhowtheywereconfiguredinthepastsothatyoucanseehowtheconfigurationsandrelationshipschangeovertime.AWSConfigdefinesaresourceasanentityyoucanworkwithinAWS,suchasanAmazonEC2instance,anAmazonEBSvolume,asecuritygroup,oranAmazonVPC.
WhenyouturnonAWSConfig,itfirstdiscoversthesupportedAWSresourcesthatexistinyouraccountandgeneratesaconfigurationitemforeachresource.Aconfigurationitemrepresentsapoint-in-timeviewofthevariousattributesofasupportedAWSresourcethatexistsinyouraccount.Thecomponentsofaconfigurationitemincludemetadata,attributes,relationships,currentconfiguration,andrelatedevents.
AWSConfigwillgenerateconfigurationitemswhentheconfigurationofaresourcechanges,anditmaintainshistoricalrecordsoftheconfigurationitemsofyourresourcesfromthetimeyoustarttheconfigurationrecorder.Theconfigurationrecorderstorestheconfigurationsofthesupportedresourcesinyouraccountasconfigurationitems.Bydefault,AWSConfigcreatesconfigurationitemsforeverysupportedresourceintheregion.Ifyoudon’twantAWSConfigtocreateconfigurationitemsforallsupportedresources,youcanspecifytheresourcetypesthatyouwantittotrack.
Organizationsoftenneedtoassesstheoverallcomplianceandriskstatusfromaconfigurationperspective,viewcompliancetrendsovertime,andpinpointwhichconfigurationchangecausedaresourcetodriftoutofcompliance.AnAWSConfigRulerepresentsdesiredconfigurationsettingsforspecificAWSresourcesorforanentireAWSaccount.WhileAWSConfigcontinuouslytracksyourresourceconfigurationchanges,itcheckswhetherthesechangesviolateanyoftheconditionsinyourrules.Ifaresourceviolatesarule,AWSConfigflagstheresourceandtheruleasnoncompliantandnotifiesyouthroughAmazonSNS.
AWSConfigmakesiteasytotrackresourceconfigurationwithouttheneedforup-frontinvestmentsandwhileavoidingthecomplexityofinstallingandupdatingagentsfordatacollectionormaintaininglargedatabases.OnceAWSConfigisenabled,organizationscanviewcontinuouslyupdateddetailsofallconfigurationattributesassociatedwithAWSresources.
UseCasesSomeoftheinfrastructuremanagementtasksAWSConfigenablesinclude:
DiscoveryAWSConfigwilldiscoverresourcesthatexistinyouraccount,recordtheir
currentconfiguration,andcaptureanychangestotheseconfigurations.AWSConfigwillalsoretainconfigurationdetailsforresourcesthathavebeendeleted.Acomprehensivesnapshotofallresourcesandtheirconfigurationattributesprovidesacompleteinventoryofresourcesinyouraccount.
ChangeManagementWhenyourresourcesarecreated,updated,ordeleted,AWSConfigstreamstheseconfigurationchangestoAmazonSNSsothatyouarenotifiedofallconfigurationchanges.AWSConfigrepresentsrelationshipsbetweenresources,soyoucanassesshowachangetooneresourcemayaffectotherresources.
ContinuousAuditandComplianceAWSConfigandAWSConfigRulesaredesignedtohelpyouassesscompliancewithinternalpoliciesandregulatorystandardsbyprovidingvisibilityintotheconfigurationofaresourceatanytimeandevaluatingrelevantconfigurationchangesagainstrulesthatyoucandefine.
TroubleshootingUsingAWSConfig,youcanquicklytroubleshootoperationalissuesbyidentifyingtherecentconfigurationchangestoyourresources.
SecurityandIncidentAnalysisProperlyconfiguredresourcesimproveyoursecurityposture.DatafromAWSConfigenablesyoutomonitortheconfigurationsofyourresourcescontinuouslyandevaluatetheseconfigurationsforpotentialsecurityweaknesses.Afterapotentialsecurityevent,AWSConfigenablesyoutoexaminetheconfigurationofyourresourcesatanysinglepointinthepast.
KeyFeaturesInthepast,organizationsneededtopollresourceAPIsandmaintaintheirownexternaldatabaseforchangemanagement.AWSConfigresolvesthispreviousneedandautomaticallyrecordsresourceconfigurationinformationandwillevaluateanyrulesthataretriggeredbyachange.Theconfigurationoftheresourceanditsoverallcomplianceagainstrulesarepresentedinadashboard.
AWSConfigintegrateswithAWSCloudTrail,aservicethatrecordsAWSAPIcallsforanaccountanddeliversAPIusagelogfilestoanAmazonS3bucket.IftheconfigurationchangeofaresourcewastheresultofanAPIcall,AWSConfigalsorecordstheAWSCloudTraileventIDthatcorrespondstotheAPIcallthatchangedtheresource’sconfiguration.OrganizationscanthenleveragetheAWSCloudTraillogstoobtaindetailsoftheAPIcallthatwasmade—includingwhomadetheAPIcall,atwhattime,andfromwhichIPaddress—tousefortroubleshootingpurposes.
WhenaconfigurationchangeismadetoaresourceorwhenthecomplianceofanAWSConfigrulechanges,anotificationmessageisdeliveredthatcontainstheupdatedconfigurationoftheresourceorcompliancestateoftheruleandkeyinformationsuchastheoldandnewvaluesforeachchangedattribute.Additionally,AWSConfigsendsnotificationswhenaConfigurationHistoryfileisdeliveredtoAmazonS3andwhenthecustomerinitiatesaConfigurationSnapshot.ThesemessagesareallstreamedtoanAmazonSNStopicthatyouspecify.
OrganizationscanusetheAWSManagementConsole,API,orAWSCLItoobtaindetailsofwhataresource’sconfigurationlookedlikeatanypointinthepast.AWSConfigwillalsoautomaticallydeliverahistoryfiletotheAmazonS3bucketyouspecifyeverysixhoursthat
containsallchangestoyourresourceconfigurations.
SummaryInthischapter,youlearnedaboutadditionalkeyAWScloudservices,manyofwhichwillbecoveredonyourAWSCertifiedSolutionsArchitect–Associateexam.Theseservicesaregroupedintofourcategoriesofservices:storageandcontentdelivery,security,analytics,andDevOps.
Inthestorageandcontentdeliverygroup,wecoveredAmazonCloudFrontandAWSStorageGateway.AmazonCloudFrontisaglobalCDNservice.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AWSStorageGatewayisaservicethatconnectsanon-premisessoftwareappliancewithcloud-basedstorage.Itprovidesseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheAWSStorageGatewayappliancemaintainsfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.
TheserviceswecoveredinsecurityfocusedonIdentityManagement(AWSDirectoryService),KeyManagement(AWSKMSAWSCloudHSM),andAudit(AWSCloudTrail).AWSDirectoryServiceisamanagedserviceoffering,providingdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.AWSDirectoryServiceisofferedinthreetypes:AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),SimpleAD,andADConnector.
Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.
RoundingoutthesecurityservicesisAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.
Theanalyticsservicescoveredhelpyouovercometheuniquelistofchallengesassociatedwithbigdataintoday’sITworld.AmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.AmazonEMRprovidesyouwithafullymanaged,on-demandHadoopframework.Thereductionofcomplexityandup-frontcostscombinedwiththescaleofAWSmeansyoucaninstantlyspinuplargeHadoopclustersandstartprocessing
withinminutes.
Tosupplementthebigdatachallenges,orchestratingdatamovementcomeswithitsownchallenges.AWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRDS,AmazonDynamoDB,andAmazonEMR.Additionally,AWSImport/Exporthelpswhenyou’refacedwiththechallengeofgettinghugedatasetsintoAWSinthefirstplaceorretrievingthembacktoon-premiseswhennecessary.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource,shippedviastandardshippingmechanisms,andthencopiedtothedestination.
AWScontinuestoevolveservicesinsupportoforganizationsembracingDevOps.ServicessuchasAWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,andAWSConfigareleadingthewayforDevOpsonAWS.AWSOpsWorksprovidesaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorksworkswithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.AWSElasticBeanstalkallowsdeveloperstosimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.AWSConfigdeliversafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationshavetheinformationnecessaryforcomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
Thekeyadditionalservicescoveredinthischapterwillhelpyouformaknowledgebasetounderstandthenecessitiesfortheexam.AsyoucontinuetogrowasaSolutionsArchitect,divingdeeperintotheAWScloudservicesasawholewillexpandyourabilitytodefinewellarchitectedsolutionsacrossawidevarietyofbusinessverticalsandusecases.
ExamEssentialsKnowthebasicusecasesforamazonCloudFront.KnowwhentouseAmazonCloudFront(forpopularstaticanddynamiccontentwithgeographicallydistributedusers)andwhennotto(allusersatasinglelocationorconnectingthroughacorporateVPN).
KnowhowamazonCloudFrontworks.AmazonCloudFrontoptimizesdownloadsbyusinggeolocationtoidentifythegeographicallocationofusers,thenservingandcachingcontentattheedgelocationclosesttoeachusertomaximizeperformance.
KnowhowtocreateanamazonCloudFrontdistributionandwhattypesoforiginsaresupported.Tocreateadistribution,youspecifyanoriginandthetypeofdistribution,andAmazonCloudFrontcreatesanewdomainnameforthedistribution.OriginssupportedincludeAmazonS3bucketsorstaticAmazonS3websitesandHTTPserverslocatedinAmazonEC2orinyourowndatacenter.
KnowhowtouseamazonCloudFrontfordynamiccontentandmultipleorigins.Understandhowtospecifymultipleoriginsfordifferenttypesofcontentandhowtousecachebehaviorsandpathstringstocontrolwhatcontentisservedbywhichorigin.
KnowwhatmechanismsareavailabletoserveprivatecontentthroughamazonCloudFront.AmazonCloudFrontcanserveprivatecontentusingAmazonS3OriginAccessIdentifiers,signedURLs,andsignedcookies.
KnowthethreeconfigurationsofAWSstoragegatewayandtheirusecases.Gateway-Cachedvolumesexpandyouron-premisesstorageintoAmazonS3andcachefrequentlyusedfileslocally.Gateway-StoredvalueskeepallyourdataavailablelocallyatalltimesandalsoreplicateitasynchronouslytoAmazonS3.Gateway-VTLenablesyoutokeepyourcurrentbackuptapesoftwareandprocesseswhileeliminatingphysicaltapesbystoringyourdatainthecloud.
UnderstandthevalueofAWSDirectoryService.AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.
KnowtheAWSDirectoryServiceDirectorytypes.AWSDirectoryServiceoffersthreedirectorytypes:
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD
SimpleAD
ADConnector
KnowwhenyoushoulduseAWSDirectoryServiceforMicrosoftActiveDirectory.YoushoulduseMicrosoftActiveDirectoryifyouhavemorethan5,000usersorneedatrustrelationshipsetupbetweenanAWShosteddirectoryandyouron-premisesdirectories.
Understandkeymanagement.Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,
andreplacementofkeys.
UnderstandwhenyoushoulduseAWSKMS.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontrolthesymmetricencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandwhichcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.
UnderstandwhenyoushoulduseAWSCloudHSM.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedhardwaresecuritymoduleapplianceswithintheAWScloud.
UnderstandthevalueofAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.ThishelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
KnowthethreeservicesofAmazonkinesisandtheirusecases.AmazonKinesisFirehoseallowsyoutoloadmassivevolumesofstreamingdataintoAWS.AmazonKinesisAnalyticsenablesyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL.AmazonKinesisStreamsenablesyoutobuildcustomapplicationsthatprocessoranalyzestreamingdatarealtimeforspecializedneeds.
KnowwhatserviceAmazonEMRprovides.AmazonEMRprovidesamanagedHadoopserviceonAWSthatallowsyoutospinuplargeHadoopclustersinminutes.
Knowthedifferencebetweenpersistentandtransientclusters.Persistentclustersruncontinuously,sotheydonotlosedatastoredoninstance-basedHDFS.Transientclustersarelaunchedforaspecifictask,thenterminated,sotheyaccessdataonAmazonS3viaEMRFS.
KnowtheusecasesforAmazonEMR.AmazonEMRisusefulforbigdataanalyticsinvirtuallyanyindustry,including,butnotlimitedto,logprocessing,clickstreamanalysis,andgenomicsandlifesciences.
KnowtheusecasesforAWSdatapipeline.AWSDataPipelinecanmanagebatchETLprocessesatscaleonthecloud,accessingdatabothinAWSandon-premises.ItcantakeadvantageofAWScloudservicesbyspinningupresourcesrequiredfortheprocess,suchasAmazonEC2instancesorAmazonEMRclusters.
KnowthetypesofAWSimport/exportservicesandthepossiblesources/destinationsofeach.AWSSnowballisAmazonshippableappliancessuppliedreadytoship.Itcantransferdatatoandfromyouron-premisesstorageandtoandfromAmazonS3.AWSImport/ExportDiskusesyourstoragedevicesand,inadditiontotransferringdatainandoutofyouron-premisesstorage,canimportdatatoAmazonS3,AmazonEBS,andAmazonS3;itcanonlyexportdatafromAmazonS3.
UnderstandthebasicsofAWSopsworks.AWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsofallshapesandsizesusingChef.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponentincludingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.
UnderstandthevalueofAWScloudformation.AWSCloudFormationisaservicethat
helpsyoumodelandsetupyourAWSresources.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayyouwoulddowithsoftware.
UnderstandthevalueofAWSelasticbeanstalk.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
UnderstandthecomponentsofAWSelasticbeanstalk.AnAWSElasticBeanstalkapplicationisthelogicalcollectionofenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.
UnderstandthevalueofAWSconfig.AWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistinganddeletedAWSresources,determinetheiroverallcomplianceagainstrulesanddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
ReviewQuestions1. WhatoriginserversaresupportedbyAmazonCloudFront?(Choose3answers)
A. AnAmazonRoute53HostedZone
B. AnAmazonSimpleStorageService(AmazonS3)bucket
C. AnHTTPserverrunningonAmazonElasticComputeCloud(AmazonEC2)
D. AnAmazonEC2AutoScalingGroup
E. AnHTTPserverrunningon-premises
2. WhichofthefollowingaregoodusecasesforAmazonCloudFront?(Choose2answers)
A. Apopularsoftwaredownloadsitethatsupportsusersaroundtheworld,withdynamiccontentthatchangesrapidly
B. Acorporatewebsitethatservestrainingvideostoemployees.Mostemployeesarelocatedintwocorporatecampusesinthesamecity.
C. Aheavilyusedvideoandmusicstreamingservicethatrequirescontenttobedeliveredonlytopaidsubscribers
D. AcorporateHRwebsitethatsupportsaglobalworkforce.Becausethesitecontainssensitivedata,allusersmustconnectthroughacorporateVirtualPrivateNetwork(VPN).
3. YouhaveawebapplicationthatcontainsbothstaticcontentinanAmazonSimpleStorageService(AmazonS3)bucket—primarilyimagesandCSSfiles—andalsodynamiccontentcurrentlyservedbyaPHPwebapprunningonAmazonElasticComputeCloud(AmazonEC2).WhatfeaturesofAmazonCloudFrontcanbeusedtosupportthisapplicationwithasingleAmazonCloudFrontdistribution?
4. (Choose2answers)
A. MultipleOriginAccessIdentifiers
B. MultiplesignedURLs
C. Multipleorigins
D. Multipleedgelocations
E. Multiplecachebehaviors
5. Youarebuildingamedia-sharingwebapplicationthatservesvideofilestoendusersonbothPCsandmobiledevices.ThemediafilesarestoredasobjectsinanAmazonSimpleStorageService(AmazonS3)bucket,butaretobedeliveredthroughAmazonCloudFront.WhatisthesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstotheobjectsintheAmazonS3bucket?
A. CreateSignedURLsforeachAmazonS3object.
B. UseanAmazonCloudFrontOriginAccessIdentifier(OAI).
C. Usepublicandprivatekeyswithsignedcookies.
D. UseanAWSIdentityandAccessManagement(IAM)bucketpolicy.
6. Yourcompanydatacenteriscompletelyfull,butthesalesgrouphasdeterminedaneedtostore200TBofproductvideo.Thevideoswerecreatedoverthelastseveralyears,withthemostrecentbeingaccessedbysalesthemostoften.Thedatamustbeaccessedlocally,butthereisnospaceinthedatacentertoinstalllocalstoragedevicestostorethisdata.WhatAWScloudservicewillmeetsales’requirements?
A. AWSStorageGatewayGateway-Storedvolumes
B. AmazonElasticComputeCloud(AmazonEC2)instanceswithattachedAmazonEBSVolumes
C. AWSStorageGatewayGateway-Cachedvolumes
D. AWSImport/ExportDisk
7. YourcompanywantstoextendtheirexistingMicrosoftActiveDirectorycapabilityintoanAmazonVirtualPrivateCloud(AmazonVPC)withoutestablishingatrustrelationshipwiththeexistingon-premisesActiveDirectory.Whichofthefollowingisthebestapproachtoachievethisgoal?
A. CreateandconnectanAWSDirectoryServiceADConnector.
B. CreateandconnectanAWSDirectoryServiceSimpleAD.
C. CreateandconnectanAWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition).
D. Noneoftheabove
8. WhichofthefollowingareAWSKeyManagementService(AWSKMS)keysthatwillneverexitAWSunencrypted?
A. AWSKMSdatakeys
B. Envelopeencryptionkeys
C. AWSKMSCustomerMasterKeys(CMKs)
D. AandC
9. WhichcryptographicmethodisusedbyAWSKeyManagementService(AWSKMS)toencryptdata?
A. Password-basedencryption
B. Asymmetric
C. Sharedsecret
D. Envelopeencryption
10. WhichAWSservicerecordsApplicationProgramInterface(API)callsmadeonyouraccountanddeliverslogfilestoyourAmazonSimpleStorageService(AmazonS3)bucket?
A. AWSCloudTrail
B. AmazonCloudWatch
C. AmazonKinesis
D. AWSDataPipeline
11. YouaretryingtodecryptciphertextwithAWSKMSandthedecryptionoperationisfailing.Whichofthefollowingarepossiblecauses?(Choose2answers)
A. Theprivatekeydoesnotmatchthepublickeyintheciphertext.
B. Theplaintextwasencryptedalongwithanencryptioncontext,andyouarenotprovidingtheidenticalencryptioncontextwhencallingtheDecryptAPI.
C. Theciphertextyouaretryingtodecryptisnotvalid.
D. YouarenotprovidingthecorrectsymmetrickeytotheDecryptAPI.
12. Yourcompanyhas30yearsoffinancialrecordsthattakeup15TBofon-premisesstorage.Itisregulatedthatyoumaintaintheserecords,butintheyearyouhaveworkedforthecompanynoonehaseverrequestedanyofthisdata.GiventhatthecompanydatacenterisalreadyfillingthebandwidthofitsInternetconnection,whatisanalternativewaytostorethedataonthemostappropriatecloudstorage?
A. AWSImport/ExporttoAmazonSimpleStorageService(AmazonS3)
B. AWSImport/ExporttoAmazonGlacier
C. AmazonKinesis
D. AmazonElasticMapReduce(AWSEMR)
13. Yourcompanycollectsinformationfromthepointofsaleregistersatallofitsfranchiselocations.Eachmonththeseprocessescollect200TBofinformationstoredinAmazonSimpleStorageService(AmazonS3).Analyticsjobstaking24hoursareperformedtogatherknowledgefromthisdata.Whichofthefollowingwillallowyoutoperformtheseanalyticsinacost-effectiveway?
A. CopythedatatoapersistentAmazonElasticMapReduce(AmazonEMR)cluster,andruntheMapReducejobs.
B. CreateanapplicationthatreadstheinformationoftheAmazonS3bucketandrunsitthroughanAmazonKinesisstream.
C. RunatransientAmazonEMRcluster,andruntheMapReducejobsagainstthedatadirectlyinAmazonS3.
D. Launchad2.8xlarge(32vCPU,244GBRAM)AmazonElasticComputeCloud(AmazonEC2)instance,andrunanapplicationtoreadandprocesseachobjectsequentially.
14. Whichserviceallowsyoutoprocessnearlylimitlessstreamsofdatainflight?
A. AmazonKinesisFirehose
B. AmazonElasticMapReduce(AmazonEMR)
C. AmazonRedshift
D. AmazonKinesisStreams
15. Whatcombinationofservicesenableyoutocopydaily50TBofdatatoAmazonstorage,processthedatainHadoop,andstoretheresultsinalargedatawarehouse?
A. AmazonKinesis,AmazonDataPipeline,AmazonElasticMapReduce(AmazonEMR),andAmazonElasticComputeCloud(AmazonEC2)
B. AmazonElasticBlockStore(AmazonEBS),AmazonDataPipeline,AmazonEMR,andAmazonRedshift
C. AmazonSimpleStorageService(AmazonS3),AmazonDataPipeline,AmazonEMR,andAmazonRedshift
D. AmazonS3,AmazonSimpleWorkflow,AmazonEMR,andAmazonDynamoDB
16. Yourcompanyhas50,000weatherstationsaroundthecountrythatsendupdatesevery2seconds.WhatservicewillenableyoutoingestthisstreamofdataandstoreittoAmazonSimpleStorageService(AmazonS3)forfutureprocessing?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonKinesisFirehose
C. AmazonElasticComputeCloud(AmazonEC2)
D. AmazonDataPipeline
17. YourorganizationusesChefheavilyforitsdeploymentautomation.WhatAWScloudserviceprovidesintegrationwithChefrecipestostartnewapplicationserverinstances,configureapplicationserversoftware,anddeployapplications?
A. AWSElasticBeanstalk
B. AmazonKinesis
C. AWSOpsWorks
D. AWSCloudFormation
18. AfirmismovingitstestingplatformtoAWStoprovidedeveloperswithinstantaccesstocleantestanddevelopmentenvironments.Theprimaryrequirementforthefirmistomakeenvironmentseasilyreproducibleandfungible.Whatservicewillhelpthefirmmeettheirrequirements?
A. AWSCloudFormation
B. AWSConfig
C. AmazonRedshift
D. AWSTrustedAdvisor
19. Yourcompany’sITmanagementteamislookingforanonlinetooltoproviderecommendationstosavemoney,improvesystemavailabilityandperformance,andtohelpclosesecuritygaps.Whatcanhelpthemanagementteam?
A. Cloud-init
B. AWSTrustedAdvisor
C. AWSConfig
D. ConfigurationRecorder
20. YourcompanyworkswithdatathatrequiresfrequentauditsofyourAWSenvironmenttoensurecompliancewithinternalpoliciesandbestpractices.Inordertoperformtheseaudits,youneedaccesstohistoricalconfigurationsofyourresourcestoevaluaterelevantconfigurationchanges.Whichservicewillprovidethenecessaryinformationforyouraudits?
A. AWSConfig
B. AWSKeyManagementService(AWSKMS)
C. AWSCloudTrail
D. AWSOpsWorks
21. Allofthewebsitedeploymentsarecurrentlydonebyyourcompany’sdevelopmentteam.Withasurgeinwebsitepopularity,thecompanyislookingforwaystobemoreagilewithdeployments.WhatAWScloudservicecanhelpthedevelopersfocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks?
A. AWSConfig
B. AWSTrustedAdvisor
C. AmazonKinesis
D. AWSElasticBeanstalk
Chapter12SecurityonAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSsharedresponsibilitymodel
AWSplatformcompliance
AWSsecurityattributes(customerworkloadsdowntophysicallayer)
AWSadministrationandsecurityservices
AWSIdentityandAccessManagement(IAM)
AmazonVirtualPrivateCloud(AmazonVPC)
AWSCloudTrail
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit
CoreAmazonElasticComputeCloud(AmazonEC2)andAmazonSimpleStorageService(AmazonS3)securityfeaturesets
Incorporatingcommonconventionalsecurityproducts(Firewall,VirtualPrivateNetwork[VPN])
DenialofService(DoS)mitigation
Encryptionsolutions(e.g.,keyservices)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)
IntroductionCloudsecurityisthefirstpriorityatAWS.AllAWScustomersbenefitfromadatacenterandnetworkarchitecturethatisbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersoffertoolsandfeaturestohelpyoumeetyoursecurityobjectivesaroundvisibility,auditability,controllability,andagility.Thismeansthatyoucanhavethesecurityyouneed,butwithoutthecapitaloutlayandatamuchloweroperationaloverheadthaninanon-premisesoratraditionaldatacenterenvironment.ThischapterwillcovertherelevantsecuritytopicsthatarewithinscopeoftheAWSCertifiedSolutionsArchitect–Associateexam.
SharedResponsibilityModelBeforewegointothedetailsofhowAWSsecuresitsresources,weshouldtalkabouthowsecurityinthecloudisslightlydifferentthansecurityinyouron-premisesdatacenters.Whenyoumovecomputersystemsanddatatothecloud,securityresponsibilitiesbecomesharedbetweenyouandyourcloudserviceprovider.Inthiscase,AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.Thissharedresponsibilitymodelcanreduceyouroperationalburdeninmanyways,andinsomecasesitmayevenimproveyourdefaultsecurityposturewithoutadditionalactiononyourpart.Figure12.1illustratesAWSresponsibilitiesversusthoseofthecustomer.Essentially,AWSisresponsibleforsecurityofthecloud,andcustomersareresponsibleforsecurityinthecloud.
FIGURE12.1Thesharedresponsibilitymodel
AWSComplianceProgramAWScomplianceenablescustomerstounderstandtherobustcontrolsinplaceatAWStomaintainsecurityanddataprotectioninthecloud.AsyoubuildsystemsontopofAWSCloudinfrastructure,yousharecomplianceresponsibilitieswithAWS.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWScomplianceenablersbuildontraditionalprograms,helpingyoutoestablishandoperateinanAWSsecuritycontrolenvironment.TheITinfrastructurethatAWSprovidesisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards,including(atthetimeofthiswriting):
ServiceOrganizationControl(SOC)1/StatementonStandardsforAttestationEngagements(SSAE)16/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE)3402(formerlyStatementonAuditingStandards[SAS]70)
SOC2
SOC3
FederalInformationSecurityManagementAct(FISMA),DepartmentofDefense(DoD)InformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)
DoDCloudComputingSecurityRequirementsGuide(SRG)Levels2and4
PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1
InternationalOrganizationforStandardization(ISO)9001andISO27001
InternationalTrafficinArmsRegulations(ITAR)
FederalInformationProcessingStandard(FIPS)140-2
Inaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeetseveralindustry-specificstandards,including:
CriminalJusticeInformationServices(CJIS)
CloudSecurityAlliance(CSA)
FamilyEducationalRightsandPrivacyAct(FERPA)
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
MotionPictureAssociationofAmerica(MPAA)
AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,reports,certifications,accreditations,andotherthird-partyattestations.ToaidinpreparationforyourAWSCertifiedSolutionsArchitectAssociateexam,seeChapter13,“AWSRiskandCompliance.”Moreinformationisavailableinthe“AWSRiskandCompliance”whitepaperavailableontheAWSwebsite.
AWSGlobalInfrastructureSecurityAWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchasprocessingandstorage.TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperationalsoftware(forexample,hostoperatingsystemandvirtualizationsoftware)thatsupporttheprovisioninganduseoftheseresources.TheAWSglobalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecuritycompliancestandards.AsanAWScustomer,youcanbeassuredthatyou’rebuildingwebarchitecturesontopofsomeofthemostsecurecomputinginfrastructureintheworld.
PhysicalandEnvironmentalSecurityAWSdatacentersarestateoftheart,usinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffusingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAWS.AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.
FireDetectionandSuppressionAWSdatacentershaveautomaticfiredetectionandsuppressionequipmenttoreducerisk.Thefiredetectionsystemusessmokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerroomsandgeneratorequipmentrooms.Theseareasareprotectedbywet-pipe,double-interlockedpre-action,orgaseoussprinklersystems.
PowerAWSdatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,and7daysaweek.UninterruptiblePowerSupply(UPS)unitsprovidebackuppowerintheeventofanelectricalfailureforcriticalandessentialloadsinthefacility.AWSdatacentersusegeneratorstoprovidebackuppowerfortheentirefacility.
ClimateandTemperatureClimatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,whichpreventsoverheatingandreducesthepossibilityofserviceoutages.
AWSdatacentersarebuilttomaintainatmosphericconditionsatoptimallevels.Personnelandsystemsmonitorandcontroltemperatureandhumidityatappropriatelevels.
ManagementAWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediatelyidentified.AWSstaffperformspreventativemaintenancetomaintainthecontinuedoperabilityofequipment.
StorageDeviceDecommissioningWhenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatisdesignedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.
BusinessContinuityManagementAmazon’sinfrastructurehasahighlevelofavailabilityandprovidescustomerswiththefeaturestodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.DatacenterBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.
AvailabilityDatacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris“cold.”Incaseoffailure,automatedprocessesmovedatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.
AWSprovidesitscustomerswiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsandalsoacrossmultipleAvailabilityZoneswithineachregion.EachAvailabilityZoneisdesignedasanindependentfailurezone.ThismeansthatAvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlowerriskfloodplains(specificfloodzonecategorizationvariesbyregion).InadditiontohavingdiscreteUPSandon-sitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiestofurtherreducesinglepointsoffailure.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.Figure12.2illustrateshowAWSregionsarecomprisedofAvailabilityZones.
FIGURE12.2AmazonWebServicesregions
YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
IncidentResponseTheAmazonIncidentManagementteamemploysindustry-standarddiagnosticprocedurestodriveresolutionduringbusiness-impactingevents.Staffoperatorsprovide24×7×365coveragetodetectincidentsandtomanagetheimpactandresolution.
CommunicationAWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheirindividualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.Thesemethodsincludeorientationandtrainingprogramsfornewlyhiredemployees,regularmanagementmeetingsforupdatesonbusinessperformanceandothermatters,andelectronicsmeanssuchasvideoconferencing,electronicmailmessages,andthepostingofinformationviatheAmazonintranet.
AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthecommunity.Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthatimpactthecustomerexperience.AServiceHealthDashboardisavailableandmaintainedbythecustomersupportteamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.TheAWSSecurityCenterisavailableto
provideyouwithsecurityandcompliancedetailsaboutAWS.CustomerscanalsosubscribetoAWSSupportofferingsthatincludedirectcommunicationwiththecustomersupportteamandproactivealertstoanycustomer-impactingissues.
NetworkSecurityTheAWSnetworkhasbeenarchitectedtopermityoutoselectthelevelofsecurityandresiliencyappropriateforyourworkload.Toenableyoutobuildgeographicallydispersed,fault-tolerantwebarchitectureswithcloudresources,AWShasimplementedaworld-classnetworkinfrastructurethatiscarefullymonitoredandmanaged.
SecureNetworkArchitectureNetworkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACLs),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.Thesepoliciesareautomaticallypushedtoensurethesemanagedinterfacesenforcethemostup-to-dateACLs.
SecureAccessPointsAWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledApplicationProgrammingInterface(API)endpoints,andtheypermitsecureHTTPaccess(HTTPS),whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.TosupportcustomerswithFederalInformationProcessingStandard(FIPS)cryptographicrequirements,theSecureSocketsLayer(SSL)-terminatingloadbalancersinAWSGovCloud(US)areFIPS140-2compliant.
Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachInternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.
TransmissionProtectionYoucanconnecttoanAWSaccesspointviaHTTPorHTTPSusingSSL,acryptographicprotocolthatisdesignedtoprotectagainsteavesdropping,tampering,andmessageforgery.Forcustomerswhorequireadditionallayersofnetworksecurity,AWSofferstheAmazonVirtualPrivateCloud(AmazonVPC)(asreferencedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC),”whichprovidesaprivatesubnetwithintheAWSCloudandtheabilitytouseanIPsecVirtualPrivateNetwork(VPN)devicetoprovideanencryptedtunnelbetweentheAmazonVPCandyourdatacenter.
NetworkMonitoringandProtection
TheAWSnetworkprovidessignificantprotectionagainsttraditionalnetworksecurityissues,andyoucanimplementfurtherprotection.Thefollowingareafewexamples:
DistributedDenialofService(DDoS)AttacksAWSAPIendpointsarehostedonalarge,Internet-scale,world-classinfrastructurethatbenefitsfromthesameengineeringexpertisethathasbuiltAmazonintotheworld’slargestonlineretailer.ProprietaryDDoSmitigationtechniquesareused.Additionally,AWSnetworksaremulti-homedacrossanumberofproviderstoachieveInternetaccessdiversity.
ManintheMiddle(MITM)AttacksAlloftheAWSAPIsareavailableviaSSL-protectedendpointsthatprovideserverauthentication.AmazonElasticComputeCloud(AmazonEC2)AMIsautomaticallygeneratenewSecureShell(SSH)hostcertificatesonfirstbootandlogthemtotheinstance’sconsole.YoucanthenusethesecureAPIstocalltheconsoleandaccessthehostcertificatesbeforeloggingintotheinstanceforthefirsttime.AWSencouragesyoutouseSSLforallofyourinteractions.
IPSpoofingAmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMachineAccessControl(MAC)addressotherthanitsown.
PortScanningUnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.CustomerscanreportsuspectedabuseviathecontactsavailableontheAWSwebsite.WhenunauthorizedportscanningisdetectedbyAWS,itisstoppedandblocked.PortscansofAmazonEC2instancesaregenerallyineffectivebecause,bydefault,allinboundportsonAmazonEC2instancesareclosedandareonlyopenedbythecustomer.Strictmanagementofsecuritygroupscanfurthermitigatethethreatofportscans.Ifyouconfigurethesecuritygrouptoallowtrafficfromanysourcetoaspecificport,thatspecificportwillbevulnerabletoaportscan.Inthesecases,youmustuseappropriatesecuritymeasurestoprotectlisteningservicesthatmaybeessentialtotheirapplicationfrombeingdiscoveredbyanunauthorizedportscan.Forexample,awebservermustclearlyhaveport80(HTTP)opentotheworld,andtheadministratorofthisserverisresponsibleforthesecurityoftheHTTPserversoftware,suchasApache.Youmayrequestpermissiontoconductvulnerabilityscansasrequiredtomeetyourspecificcompliancerequirements.ThesescansmustbelimitedtoyourowninstancesandmustnotviolatetheAWSAcceptableUsePolicy.AdvancedapprovalforthesetypesofscanscanbeinitiatedbysubmittingarequestviatheAWSwebsite.
PacketSniffingbyOtherTenantsWhileyoucanplaceyourinterfacesintopromiscuousmode,thehypervisorwillnotdeliveranytraffictothemthatisnotaddressedtothem.Eventwovirtualinstancesthatareownedbythesamecustomerlocatedonthesamephysicalhostcannotlistentoeachother’straffic.WhileAmazonEC2doesprovideampleprotectionagainstonecustomerinadvertentlyormaliciouslyattemptingtoviewanothercustomer’sdata,asastandardpracticeyoushouldencryptsensitivetraffic.
Itisnotpossibleforavirtualinstancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.
AttackssuchasAddressResolutionProtocol(ARP)cachepoisoningdonotworkwithinAmazonEC2andAmazonVPC.
AWSAccountSecurityFeaturesAWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSaccountandresourcessafefromunauthorizeduse.Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,thecreationofseparateAWSIdentityandAccessManagement(IAM)useraccounts,anduseractivityloggingforsecuritymonitoring.YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSservicesyouselect.
AWSCredentialsTohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources,AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMulti-FactorAuthentication(MFA)tologintoyourAWSAccountorIAMuseraccounts.Table12.1highlightsthevariousAWScredentialsandtheiruses.
TABLE12.1AWSCredentials
CredentialType
Use Description
Passwords AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
AstringofcharactersusedtologintoyourAWSaccountorIAMaccount.AWSpasswordsmustbeaminimumof6charactersandmaybeupto128characters.
Multi-FactorAuthentication(MFA)
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
Asix-digit,single-usecodethatisrequiredinadditiontoyourpasswordtologintoyourAWSaccountorIAMuseraccount.
AccessKeys Digitally-signedrequeststoAWSAPIs(usingtheAWSSoftwareDevelopmentKit[SDK],CommandLineInterface[CLI],orREST/QueryAPIs)
IncludesanaccesskeyIDandasecretaccesskey.YouuseaccesskeystosignprogrammaticrequestsdigitallythatyoumaketoAWS.
KeyPairs SSHlogintoAmazonEC2instancesAmazonCloudFront-signedURLs
AkeypairisrequiredtoconnecttoanAmazonEC2instancelaunchedfromapublicAMI.ThekeysthatAmazonEC2usesare1024-bitSSH-2RSAkeys.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstance,oryoucanuploadyourown.
X.509Certificates
DigitallysignedSOAPrequeststoAWSAPIsSSLservercertificatesforHTTPS
X.509certificatesareonlyusedtosignSOAP-basedrequests(currentlyusedonlywithAmazonSimpleStorageService[AmazonS3]).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorre-downloadthem.However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.Tohelpyoudothiswithoutpotentialimpacttoyourapplication’savailability,AWSsupportsmultipleconcurrentaccesskeysandcertificates.Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetoyourapplication.Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.
TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSaccountandalsoforIAMuseraccounts.
PasswordsPasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWS
DiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,givingyoutheabilitytocreateverystrongpasswords.
YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyarechangedoften.ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.
AWSMulti-FactorAuthentication(AWSMFA)AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.ThisisMFAbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).YoucanenableMFAdevicesforyourAWSaccountandfortheusersyouhavecreatedunderyourAWSaccountwithAWSIAM.Inaddition,youcanaddMFAprotectionforaccessacrossAWSaccounts,forwhenyouwanttoallowauseryou’vecreatedunderoneAWSaccounttouseanIAMroletoaccessresourcesunderanotherAWSaccount.YoucanrequiretheusertouseMFAbeforeassumingtheroleasanadditionallayerofsecurity.
AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.VirtualMFAdevicesusethesameprotocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTime-BasedOne-TimePassword(TOTP)standard,asdescribedinRFC6238.MostvirtualMFAapplicationsallowyoutohostmorethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.However,youshouldbeawarethatbecauseavirtualMFAmayberunonalesssecuredevicesuchasasmartphone,avirtualMFAmightnotprovidethesamelevelofsecurityasahardwareMFAdevice.
YoucanalsoenforceMFAauthenticationforAWSCloudserviceAPIsinordertoprovideanextralayerofprotectionoverpowerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.YoudothisbyaddinganMFArequirementtoanIAMaccesspolicy.YoucanattachtheseaccesspoliciestoIAMusers,IAMgroups,orresourcesthatsupportACLslikeAmazonS3buckets,AmazonSimpleQueueService(AmazonSQS)queues,andAmazonSimpleNotificationService(AmazonSNS)topics.
AccessKeysAccesskeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.
Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisintransit,butitalsohelpsprotectagainstpotentialreplayattacks.ArequestmustreachAWSwithin15minutesofthetimestampintherequest.Otherwise,AWSdeniestherequest.
ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHashedMessageAuthenticationMode(HMAC)-SecureHashAlgorithm(SHA)-256protocol.Version4providesanadditionalmeasureofprotectionoverpreviousversionsbyrequiringthatyousignthemessageusingakeythatisderivedfromyourSAKinsteadofusingtheSAKitself.Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographicisolationofthesigningkey.
Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandtonotembedtheminyourcode.ForcustomerswithlargefleetsofelasticallyscalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
IAMrolesprovidetemporarycredentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultipletimesaday.
AmazonEC2usesanInstanceProfileasacontainerforanIAMrole.WhenyoucreateanIAMroleusingtheAWSManagementConsole,theconsolecreatesaninstanceprofileautomaticallyandgivesitthesamenameastheroletowhichitcorresponds.IfyouusetheAWSCLI,API,oranAWSSDKtocreatearole,youcreatetheroleandinstanceprofileasseparateactions,andyoumightgivethemdifferentnames.TolaunchaninstancewithanIAMrole,youspecifythenameofitsinstanceprofile.WhenyoulaunchaninstanceusingtheAmazonEC2console,youcanselectaroletoassociatewiththeinstance;however,thelistthat’sdisplayedisactuallyalistofinstanceprofilenames.
KeypairsAmazonEC2supportsRSA2048SSHkeysforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.Thepublickeyisembeddedinyourinstance,andyouusetheprivatekeytosigninsecurelywithoutapassword.AfteryoucreateyourownAMIs,youcanchooseothermechanismstologintoyournewinstancessecurely.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstanceoryoucanuploadyourown.Savetheprivatekeyinasafeplaceonyoursystemandrecordthelocationwhereyousavedit.
ForAmazonCloudFront,youusekeypairstocreatesignedURLsforprivatecontent,suchaswhenyouwanttodistributerestrictedcontentthatsomeonepaidfor.YoucreateAmazonCloudFrontkeypairsbyusingtheSecurityCredentialspage.AmazonCloudFrontkeypairscanbecreatedonlybytherootaccountandcannotbecreatedbyIAMusers.
X.509CertificatesX.509certificatesareusedtosignSOAP-basedrequests.X.509certificatescontainapublickeythatisassociatedwithaprivatekey.Whenyoucreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,alongwithyourcertificate.AWSverifiesthatyou’rethesenderbydecryptingthesignaturewiththepublickeythatisinyourcertificate.AWSalsoverifiesthatthecertificatethatyousentmatchesthecertificatethatyouuploadedtoAWS.
ForyourAWSaccount,youcanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.ForIAMusers,youmustcreatetheX.509certificate(signingcertificate)byusingthird-partysoftware.Incontrasttorootaccountcredentials,AWScannotcreateanX.509certificateforIAMusers.Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.
InadditiontoSOAPrequests,X.509certificatesareusedasSSL/TransportLayerSecurity(TLS)servercertificatesforcustomerswhowanttouseHTTPStoencrypttheirtransmissions.TousethemforHTTPS,youcanuseanopen-sourcetoollikeOpenSSLtocreateauniqueprivatekey.You’llneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoaCertificateAuthority(CA)toobtaintheservercertificate.You’llthenusetheAWSCLItouploadthecertificate,privatekey,andcertificatechaintoIAM.
YouwillalsoneedanX.509certificatetocreateacustomizedLinuxAMIforAmazonEC2instances.Thecertificateisonlyrequiredtocreateaninstance-backedAMI(asopposedtoanAmazonElasticBlockStore[AmazonEBS]-backedAMI).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsthefollowinginformationabouteachAPIcall:
ThenameoftheAPI
Theidentityofthecaller
ThetimeoftheAPIcall
Therequestparameters
TheresponseelementsreturnedbytheAWSCloudservice
ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
AWSCloudTrailsupportslogfileintegrity,whichmeansyoucanprovetothirdparties(forexample,auditors)thatthelogfilesentbyAWSCloudTrailhasnotbeenaltered.Validatedlogfilesareinvaluableinsecurityandforensicinvestigations.Thisfeatureisbuiltusing
industrystandardalgorithms:SHA-256forhashingandSHA-256withRSAfordigitalsigning.Thismakesitcomputationallyunfeasibletomodify,delete,orforgeAWSCloudTraillogfileswithoutdetection.
AWSCloudService-SpecificSecurityNotonlyissecuritybuiltintoeverylayeroftheAWSinfrastructure,butalsointoeachoftheservicesavailableonthatinfrastructure.AWSCloudservicesarearchitectedtoworkefficientlyandsecurelywithallAWSnetworksandplatforms.Eachserviceprovidesadditionalsecurityfeaturestoenableyoutoprotectsensitivedataandapplications.
ComputeServicesAWSprovidesavarietyofcloud-basedcomputingservicesthatincludeawideselectionofcomputeinstancesthatcanscaleupanddownautomaticallytomeettheneedsofyourapplicationorenterprise.
AmazonElasticComputeCloud(AmazonEC2)SecurityAmazonEC2isakeycomponentinAmazon’sInfrastructureasaService(IaaS),providingresizablecomputingcapacityusingserverinstancesinAWSdatacenters.AmazonEC2isdesignedtomakeweb-scalecomputingeasierbyenablingyoutoobtainandconfigurecapacitywithminimalfriction.Youcreateandlaunchinstances,whicharecollectionsofplatformhardwareandsoftware.
MultipleLevelsofSecuritySecuritywithinAmazonEC2isprovidedonmultiplelevels:theoperatingsystem(OS)ofthehostplatform,thevirtualinstanceOSorguestOS,afirewall,andsignedAPIcalls.Eachoftheseitemsbuildsonthecapabilitiesoftheothers.ThegoalistopreventdatacontainedwithinAmazonEC2frombeinginterceptedbyunauthorizedsystemsorusersandtomakeAmazonEC2instancesthemselvesassecureaspossiblewithoutsacrificingtheflexibilityinconfigurationthatcustomersdemand.
TheHypervisorAmazonEC2currentlyusesahighlycustomizedversionoftheXenhypervisor,takingadvantageofparavirtualization(inthecaseofLinuxguests).Becauseparavirtualizedguestsrelyonthehypervisortoprovidesupportforoperationsthatnormallyrequireprivilegedaccess,theguestOShasnoelevatedaccesstotheCPU.TheCPUprovidesfourseparateprivilegemodes:0–3,calledrings.Ring0isthemostprivilegedand3theleast.ThehostOSexecutesinRing0.However,insteadofexecutinginRing0asmostOSsdo,theguestOSrunsinlesser-privilegedRing1,andapplicationsintheleastprivilegedinRing3.Thisexplicitvirtualizationofthephysicalresourcesleadstoaclearseparationbetweenguestandhypervisor,resultinginadditionalsecurityseparationbetweenthetwo.
InstanceIsolationDifferentinstancesrunningonthesamephysicalmachineareisolatedfromeachotherviatheXenhypervisor.AmazonisactiveintheXencommunity,whichprovidesAWSwithawarenessofthelatestdevelopments.Inaddition,theAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance’svirtualinterface.Allpacketsmustpassthroughthislayer;thus,aninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternetandcanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Customerinstanceshavenoaccesstorawdiskdevices,butinsteadarepresentedwithvirtualizeddisks.TheAWSproprietarydiskvirtualizationlayerautomaticallyresetseveryblockofstorageusedbythecustomer,sothatonecustomer’sdataisnever
unintentionallyexposedtoanothercustomer.Inaddition,memoryallocatedtoguestsisscrubbed(settozero)bythehypervisorwhenitisunallocatedtoaguest.Thememoryisnotreturnedtothepooloffreememoryavailablefornewallocationsuntilthememoryscrubbingiscompleted.Figure12.3depictsinstanceisolationwithinAmazonEC2.
FIGURE12.3AmazonEC2multiplelayersofsecurity
HostOperatingSystemAdministratorswithabusinessneedtoaccessthemanagementplanearerequiredtouseMFAtogainaccesstopurpose-builtadministrationhosts.Theseadministrativehostsaresystemsthatarespecificallydesigned,built,configured,andhardenedtoprotectthemanagementplaneofthecloud.Allsuchaccessisloggedandaudited.Whenanemployeenolongerhasabusinessneedtoaccessthemanagementplane,theprivilegesandaccesstothesehostsandrelevantsystemscanberevoked.
GuestOperatingSystemVirtualinstancesarecompletelycontrolledbyyou,thecustomer.Youhavefullrootaccessoradministrativecontroloveraccounts,services,andapplications.AWSdoesnothaveanyaccessrightstoyourinstancesortheguestOS.AWSrecommendsabasesetofsecuritybestpracticestoincludedisablingpassword-onlyaccesstoyourguests,andusingsomeformofMFAtogainaccesstoyourinstances(orataminimumcertificate-basedSSHVersion2access).Additionally,youshouldemployaprivilegeescalationmechanismwithloggingonaper-userbasis.Forexample,iftheguestOSisLinux,afterhardening,yourinstanceyoushouldusecertificate-basedSSHv2toaccessthevirtualinstance,disableremoterootlogin,usecommand-linelogging,andusesudoforprivilegeescalation.YoushouldgenerateyourownkeypairsinordertoguaranteethattheyareuniqueandnotsharedwithothercustomersorwithAWS.AWSalsosupportstheuseoftheSSHnetworkprotocoltoenableyoutologinsecurelytoyourUNIX/LinuxAmazonEC2instances.
AuthenticationforSSHusedwithAWSisviaapublic/privatekeypairtoreducetheriskofunauthorizedaccesstoyourinstance.YoucanalsoconnectremotelytoyourWindowsinstancesusingRemoteDesktopProtocol(RDP)byusinganRDPcertificategeneratedforyourinstance.YoualsocontroltheupdatingandpatchingofyourguestOS,includingsecurityupdates.Amazon-providedWindowsandLinux-basedAMIsareupdatedregularlywiththelatestpatches,soifyoudonotneedtopreservedataorcustomizationsonyourrunningAmazonAMIinstances,youcansimplyrelaunchnewinstanceswiththelatestupdatedAMI.Inaddition,updatesareprovidedfortheAmazonLinuxAMIviatheAmazonLinuxyumrepositories.
FirewallAmazonEC2providesamandatoryinboundfirewallthatisconfiguredinadefaultdeny-allmode;AmazonEC2customersmustexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficmayberestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting[CIDR]block).
Thefirewallcanbeconfiguredingroups,permittingdifferentclassesofinstancestohavedifferentrules.Consider,forexample,thecaseofatraditionalthree-tieredwebapplication.Thegroupforthewebserverswouldhaveport80(HTTP)and/orport443(HTTPS)opentotheInternet.Thegroupfortheapplicationserverswouldhaveport8000(applicationspecific)accessibleonlytothewebservergroup.Thegroupforthedatabaseserverswouldhaveport3306(MySQL)openonlytotheapplicationservergroup.Allthreegroupswouldpermitadministrativeaccessonport22(SSH),butonlyfromthecustomer’scorporatenetwork.Highlysecureapplicationscanbedeployedusingthisapproach,whichisalsodepictedinFigure12.4.
FIGURE12.4AmazonEC2securitygroupfirewall
Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewallandVPNs.Thiscanrestrictbothinboundandoutboundtraffic.
Thedefaultstateistodenyallincomingtraffic,andyoushouldcarefullyplanwhatyouwillopenwhenbuildingandsecuringyourapplications.
APIAccessAPIcallstolaunchandterminateinstances,changefirewallparameters,andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonEC2APIcallscannotbemadeonyourbehalf.APIcallscanalsobeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.
AmazonElasticBlockStorage(AmazonEBS)SecurityAmazonEBSallowsyoutocreatestoragevolumesfrom1GBto16TBthatcanbemountedasdevicesbyAmazonEC2
instances.Storagevolumesbehavelikeraw,unformattedblockdevices,withuser-supplieddevicenamesandablockdeviceinterface.YoucancreateafilesystemontopofAmazonEBSvolumesorusetheminanyotherwayyouwoulduseablockdevice(likeaharddrive).AmazonEBSvolumeaccessisrestrictedtotheAWSaccountthatcreatedthevolumeandtotheusersundertheAWSaccountcreatedwithAWSIAM(iftheuserhasbeengrantedaccesstotheEBSoperations).AllotherAWSaccountsandusersaredeniedthepermissiontovieworaccessthevolume.
DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationsaspartofnormaloperationofthoseservicesandatnoadditionalcharge.However,AmazonEBSreplicationisstoredwithinthesameAvailabilityZone,notacrossmultiplezones;therefore,itishighlyrecommendedthatyouconductregularsnapshotstoAmazonS3forlong-termdatadurability.ForcustomerswhohavearchitectedcomplextransactionaldatabasesusingAmazonEBS,itisrecommendedthatbackupstoAmazonS3beperformedthroughthedatabasemanagementsystemsothatdistributedtransactionsandlogscanbecheckpointed.AWSdoesnotautomaticallyperformbackupsofdatathataremaintainedonvirtualdisksattachedtorunninginstancesonAmazonEC2.
YoucanmakeAmazonEBSvolumesnapshotspubliclyavailabletootherAWSaccountstouseasthebasisforcreatingduplicatevolumes.SharingAmazonEBSvolumesnapshotsdoesnotprovideotherAWSaccountswiththepermissiontoalterordeletetheoriginalsnapshot,asthatrightisexplicitlyreservedfortheAWSaccountthatcreatedthevolume.AnAmazonEBSsnapshotisablock-levelviewofanentireAmazonEBSvolume.Notethatdatathatisnotvisiblethroughthefilesystemonthevolume,suchasfilesthathavebeendeleted,maybepresentintheAmazonEBSsnapshot.Ifyouwanttocreatesharedsnapshots,youshoulddosocarefully.Ifavolumehasheldsensitivedataorhashadfilesdeletedfromit,youshouldcreateanewAmazonEBSvolumetoshare.Thedatatobecontainedinthesharedsnapshotshouldbecopiedtothenewvolume,andthesnapshotcreatedfromthenewvolume.
AmazonEBSvolumesarepresentedtoyouasrawunformattedblockdevicesthathavebeenwipedpriortobeingmadeavailableforuse.Wipingoccursimmediatelybeforereusesothatyoucanbeassuredthatthewipeprocessiscompleted.Ifyouhaveproceduresrequiringthatalldatabewipedviaaspecificmethod,youhavetheabilitytodosoonAmazonEBS.Youshouldconductaspecializedwipeprocedurepriortodeletingthevolumeforcompliancewithyourestablishedrequirements.
Encryptionofsensitivedataisgenerallyagoodsecuritypractice,andAWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAdvancedEncryptionStandard(AES)-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.Inordertobeabletodothisefficientlyandwithlowlatency,theAmazonEBSencryptionfeatureisonlyavailableonAmazonEC2’smorepowerfulinstancetypes.
NetworkingAWSprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthatyoudefine,establishaprivatenetworkconnectiontotheAWSCloud,useahighlyavailableandscalableDomainNameSystem(DNS)service,anddelivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliveryweb
service.
ElasticLoadBalancingSecurityElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallAvailabilityZoneswithinaregion.ElasticLoadBalancinghasalloftheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefits:
TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyontheloadbalancer.
Offersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyournetwork.
WhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyourElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptions.
Supportsend-to-endtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP(HTTPS)connections.WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbemanagedcentrallyontheloadbalancer,insteadofoneveryindividualinstance.
HTTPS/TLSusesalong-termsecretkeytogenerateashort-termsessionkeytobeusedbetweentheserverandthebrowsertocreatetheencryptedmessage.ElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(forexample,PaymentCardIndustryDataSecurityStandard[PCIDSS],Sarbanes-OxleyAct[SOX])fromclientstoensurethatstandardsaremet.Inthesecases,ElasticLoadBalancingprovidesoptionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.Youcanchoosetoenableordisabletheciphersdependingonyourspecificrequirements.
Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfiguretheloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclient-servernegotiation.WhentheServerOrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserver’sprioritizationofciphersuitesinsteadoftheclient’s.Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnecttoyourloadbalancer.
Forevengreatercommunicationprivacy,ElasticLoadBalancingallowstheuseofPerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.Thispreventsthedecodingofcaptureddata,evenifthesecretlong-termkeyitselfiscompromised.
ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.Typically,clientconnectioninformation,suchasIPaddressandport,islostwhenrequestsareproxiedthroughaloadbalancer.Thisisbecausetheloadbalancersendsrequeststotheserveron
behalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.HavingtheoriginatingclientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnectionstatistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.
ElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourloadbalancer.ThisincludestheIPaddressandportoftherequestingclient,theback-endIPaddressoftheinstancethatprocessedtherequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,GEThttp://www.example.com:80/HTTP/1.1).Allrequestssenttotheloadbalancerarelogged,includingrequeststhatnevermakeittoback-endinstances.
AmazonVirtualPrivateCloud(AmazonVPC)SecurityNormally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2addressspace.AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice(forexample,10.0.0.0/16).YoucandefinesubnetswithinyourAmazonVPC,groupingsimilarkindsofinstancesbasedonIPaddressrangeandthensetuproutingandsecuritytocontroltheflowoftrafficinandoutoftheinstancesandsubnets.
SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.AmazonEC2instancesrunningwithinanAmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.Note,however,thatyoumustcreatesecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2securitygroupsyouhavecreatedwillnotworkinsideyourAmazonVPC.Inaddition,AmazonVPCsecuritygroupshaveadditionalcapabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupaftertheinstanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,UserDatagramProtocol[UDP],orInternetControlMessageProtocol[ICMP]).
EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolatedfromallotherAmazonVPCs.Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.YoumaycreateandattachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothefollowingcontrols.
APIAccessCallstocreateanddeleteAmazonVPCs;changerouting,securitygroup,andnetworkACLparameters;andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonVPCAPIcallscannotbemadeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.AWSIAMalsoenablesacustomertofurthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.
SubnetsandRouteTablesYoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedintheAmazonVPCisconnectedtoonesubnet.TraditionalLayer2
securityattacks,includingMACspoofingandARPspoofing,areblocked.EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessedbytheroutingtabletodeterminethedestination.
Firewall(SecurityGroups)LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolution,enablingfilteringonbothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIPprotocol,byserviceport,andsource/destinationIPaddress(individualIPorCIDRblock).Thefirewallisn’tcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewall.Figure12.5illustratesanAmazonVPCwithtwotypesofsubnets—publicandprivate—andtwonetworkpathswithtwodifferentnetworks—acustomerdatacenterandtheInternet.
FIGURE12.5AmazonVPCnetworkarchitecture
NetworkACLsToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.TheseACLscancontainorderedrulestoallowordenytrafficbasedonIPprotocol,byserviceport,andsource/destinationIPaddress.
Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionandenablingadditionalsecuritythroughseparationofduties.Figure12.6depictshowthesecuritycontrolsaboveinterrelatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.
FIGURE12.6Flexiblenetworkarchitectures
VirtualPrivateGatewayAvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanothernetwork.Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtualprivategateways.YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyourpremises.EachconnectionissecuredbyapresharedkeyinconjunctionwiththeIPaddressofthecustomergatewaydevice.
InternetGatewayAnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,otherAWSservices,andtheInternet.EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithitorroutetrafficthroughaNetwork
AddressTranslation(NAT)instance.Additionally,networkroutesareconfiguredtodirecttraffictotheInternetgateway(seeFigure12.6).AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacketinspection,applicationlayerfiltering,orothersecuritycontrols.
ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,enablingyoutoimplementadditionalsecuritythroughseparationofduties.
DedicatedInstancesWithinanAmazonVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(thatis,theywillrunonsingle-tenanthardware).AnAmazonVPCcanbecreatedwith“dedicated”tenancy,sothatallinstanceslaunchedintotheAmazonVPCwillusethisfeature.Alternatively,anAmazonVPCmaybecreatedwith“default”tenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.
AmazonCloudFrontSecurityAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.Requestsforcustomers’objectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformance.AmazonCloudFrontisoptimizedtoworkwithotherAWSserviceslikeAmazonS3,AmazonEC2,ElasticLoadBalancing,andAmazonRoute53.Italsoworksseamlesslywithanynon-AWSoriginserverthatstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontrequiresthateveryrequestmadetoitscontrolAPIisauthenticatedsoonlyauthorizeduserscancreate,modify,ordeletetheirownAmazonCloudFrontdistributions.RequestsaresignedwithanHMAC-SHA-1signaturecalculatedfromtherequestandtheuser’sprivatekey.Additionally,theAmazonCloudFrontcontrolAPIisonlyaccessibleviaSSL-enabledendpoints.
ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.Theservicemaysometimesremoveobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.DurabilityisprovidedbyAmazonS3,whichworksastheoriginserverforAmazonCloudFrontbyholdingtheoriginal,definitivecopiesofobjectsdeliveredbyAmazonCloudFront.
IfyouwantcontroloverwhocandownloadcontentfromAmazonCloudFront,youcanenabletheservice’sprivatecontentfeature.Thisfeaturehastwocomponents.ThefirstcontrolshowcontentisdeliveredfromtheAmazonCloudFrontedgelocationtoviewersontheInternet.ThesecondcontrolshowtheAmazonCloudFrontedgelocationsaccessobjectsinAmazonS3.AmazonCloudFrontalsosupportsgeorestriction,whichrestrictsaccesstoyourcontentbasedonthegeographiclocationofyourviewers.
TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.WhenanOriginAccessIdentityisassociatedwithanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.YoucanthenuseAmazonS3’sACLfeature,whichlimitsaccesstothatOriginAccessIdentityso
theoriginalcopyoftheobjectisnotpubliclyreadable.
TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.Tousethissystem,youfirstcreateapublic-privatekeypairanduploadthepublickeytoyouraccountviatheAWSManagementConsole.YouthenconfigureyourAmazonCloudFrontdistributiontoindicatewhichaccountsyouwouldauthorizetosignrequests—youcanindicateuptofiveAWSaccountsthatyoutrusttosignrequests.Asyoureceiverequests,youwillcreatepolicydocumentsindicatingtheconditionsunderwhichyouwantAmazonCloudFronttoserveyourcontent.Thesepolicydocumentscanspecifythenameoftheobjectthatisrequested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.YouthencalculatetheSHA-1hashofyourpolicydocumentandsignthisusingyourprivatekey.Finally,youincludeboththeencodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.WhenAmazonCloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.AmazonCloudFrontwillonlyserverequeststhathaveavalidpolicydocumentandmatchingsignature.
NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourAmazonCloudFrontdistribution.Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.
AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).Bydefault,AmazonCloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.However,youcanalsoconfigureAmazonCloudFronttorequireHTTPSforallrequestsorhaveAmazonCloudFrontredirectHTTPrequeststoHTTPS.YoucanevenconfigureAmazonCloudFrontdistributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.
StorageAWSprovideslow-costdatastoragewithhighdurabilityandavailability.AWSoffersstoragechoicesforbackup,archiving,anddisasterrecovery,andalsoforblockandobjectstorage.
AmazonSimpleStorageService(AmazonS3)SecurityAmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AmazonS3storesdataasobjectswithinbuckets.Anobjectcanbeanykindoffile:atextfile,aphoto,avideo,andmore.WhenyouaddafiletoAmazonS3,youhavetheoptionofincludingmetadatawiththefileandsettingpermissionstocontrolaccesstothefile.Foreachbucket,youcancontrolaccesstothebucket(whocancreate,delete,andlistobjectsinthebucket),viewaccesslogsforthebucketanditsobjects,andchoosethegeographicalregionwhereAmazonS3willstorethebucketanditscontents.
DataAccessAccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.(Notethatabucket/objectowneristheAWSaccountowner,nottheuserwhocreatedthebucket/object.)Therearemultiplewaystocontrolaccesstobucketsandobjects:
IAMPoliciesAWSIAMenablesorganizationswithmanyemployeestocreateandmanage
multipleusersunderasingleAWSaccount.IAMpoliciesareattachedtotheusers,enablingcentralizedcontrolofpermissionsforusersunderyourAWSaccounttoaccessbucketsorobjects.WithIAMpolicies,youcanonlygrantuserswithinyourownAWSaccountpermissiontoaccessyourAmazonS3resources.
ACLsWithinAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.WithACLs,youcanonlygrantotherAWSaccounts(notspecificusers)accesstoyourAmazonS3resources.
BucketPoliciesBucketpoliciesinAmazonS3canbeusedtoaddordenypermissionsacrosssomeoralloftheobjectswithinasinglebucket.Policiescanbeattachedtousers,groups,orAmazonS3buckets,enablingcentralizedmanagementofpermissions.Withbucketpolicies,youcangrantuserswithinyourAWSaccountorotherAWSaccountsaccesstoyourAmazonS3resources.
QueryStringAuthenticationYoucanuseaquerystringtoexpressarequestentirelyinaURL.Inthiscase,youusequeryparameterstoproviderequestinformation,includingtheauthenticationinformation.BecausetherequestsignatureispartoftheURL,thistypeofURLisoftenreferredtoasapre-signedURL.Youcanusepre-signedURLstoembedclickablelinks,whichcanbevalidforuptosevendays,inHTML.
Youcanfurtherrestrictaccesstospecificresourcesbasedoncertainconditions.Forexample,youcanrestrictaccessbasedonrequesttime(DateCondition),whethertherequestwassentusingSSL(BooleanConditions),arequester’sIPaddress(IPAddressCondition),ortherequester’sclientapplication(StringConditions).Toidentifytheseconditions,youusepolicykeys.
AmazonS3alsogivesdeveloperstheoptiontousequerystringauthentication,whichallowsthemtoshareAmazonS3objectsthroughURLsthatarevalidforapredefinedperiodoftime.QuerystringauthenticationisusefulforgivingHTTPforbrowseraccesstoresourcesthatwouldnormallyrequireauthentication.Thesignatureinthequerystringsecurestherequest.
DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonS3viatheSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataStorageAmazonS3providesmultipleoptionsforprotectingdataatrest.Forcustomerswhoprefertomanagetheirownencryption,theycanuseaclientencryptionlibraryliketheAmazonS3EncryptionClienttoencryptdatabeforeuploadingtoAmazonS3.Alternatively,youcanuseAmazonS3ServerSideEncryption(SSE)ifyouprefertohaveAmazonS3managetheencryptionprocessforyou.DataisencryptedwithakeygeneratedbyAWSorwithakeyyousupply,dependingonyourrequirements.WithAmazonS3SSE,youcanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.Decryptionhappensautomaticallywhendataisretrieved.Notethatmetadata,whichyoucanincludewithyourobject,isnotencrypted.
AWSrecommendsthatcustomersnotplacesensitiveinformationinAmazonS3metadata.
AmazonS3SSEusesoneofthestrongestblockciphersavailable:AES-256.WithAmazonS3SSE,everyprotectedobjectisencryptedwithauniqueencryptionkey.Thisobjectkeyitselfisthenencryptedwitharegularlyrotatedmasterkey.AmazonS3SSEprovidesadditionalsecuritybystoringtheencrypteddataandencryptionkeysindifferenthosts.AmazonS3SSEalsomakesitpossibleforyoutoenforceencryptionrequirements.Forexample,youcancreateandapplybucketpoliciesthatrequirethatonlyencrypteddatacanbeuploadedtoyourbuckets.
WhenanobjectisdeletedfromAmazonS3,removalofthemappingfromthepublicnametotheobjectstartsimmediatelyandisgenerallyprocessedacrossthedistributedsystemwithinseveralseconds.Afterthemappingisremoved,thereisnoremoteaccesstothedeletedobject.Theunderlyingstorageareaisthenreclaimedforusebythesystem.
AmazonS3Standardisdesignedtoprovide99.999999999percentdurabilityofobjectsoveragivenyear.Thisdurabilitylevelcorrespondstoanaverageannualexpectedlossof0.000000001percentofobjects.Forexample,ifyoustore10,000objectswithAmazonS3,youcan,onaverage,expecttoincuralossofasingleobjectonceevery10,000,000years.Inaddition,AmazonS3isdesignedtosustaintheconcurrentlossofdataintwofacilities.
AccessLogsAnAmazonS3bucketcanbeconfiguredtologaccesstothebucketandobjectswithinit.Theaccesslogcontainsdetailsabouteachaccessrequestincludingrequesttype,therequestedresource,therequestor’sIP,andthetimeanddateoftherequest.Whenloggingisenabledforabucket,logrecordsareperiodicallyaggregatedintologfilesanddeliveredtothespecifiedAmazonS3bucket.
Cross-OriginResourceSharing(CORS)AWScustomerswhouseAmazonS3tohoststaticwebpagesorstoreobjectsusedbyotherwebpagescanloadcontentsecurelybyconfiguringanAmazonS3buckettoexplicitlyenablecross-originrequests.ModernbrowsersusetheSameOriginpolicytoblockJavaScriptorHTML5fromallowingrequeststoloadcontentfromanothersiteordomainasawaytohelpensurethatmaliciouscontentisnotloadedfromalessreputablesource(suchasduringcross-sitescriptingattacks).WiththeCross-OriginResourceSharing(CORS)policyenabled,assetssuchaswebfontsandimagesstoredinanAmazonS3bucketcanbesafelyreferencedbyexternalwebpages,stylesheets,andHTML5applications.
AmazonGlacierSecurityLikeAmazonS3,theAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.WhereAmazonS3isdesignedforrapidretrieval,however,AmazonGlacierismeanttobeusedasanarchivalservicefordatathatisnotaccessedoftenandforwhichretrievaltimesofseveralhoursaresuitable.
AmazonGlacierstoresfilesasarchiveswithinvaults.Archivescanbeanydatasuchasaphoto,video,ordocument,andcancontainoneorseveralfiles.Youcanstoreanunlimitednumberofarchivesinasinglevaultandcancreateupto1,000vaultsperregion.Eacharchivecancontainupto40TBofdata.
DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonGlacierviatheSSLencryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataRetrievalRetrievingarchivesfromAmazonGlacierrequirestheinitiationofaretrievaljob,whichisgenerallycompletedinthreetofivehours.YoucanthenaccessthedataviaHTTPGETrequests.Thedatawillremainavailabletoyoufor24hours.Youcanretrieveanentirearchiveorseveralfilesfromanarchive.Ifyouwanttoretrieveonlyasubsetofanarchive,youcanuseoneretrievalrequesttospecifytherangeofthearchivethatcontainsthefilesinwhichyouareinterestedoryoucaninitiatemultipleretrievalrequests,eachwitharangeforoneormorefiles.
Youcanalsolimitthenumberofvaultinventoryitemsretrievedbyfilteringonanarchivecreationdaterangeorbysettingamaximumitemslimit.Whichevermethodyouchoose,whenyouretrieveportionsofyourarchive,youcanusethesuppliedchecksumtohelpensuretheintegrityofthefilesprovidedthattherangethatisretrievedisalignedwiththetreehashoftheoverallarchive.
DataStorageAmazonGlacierautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.AmazonGlacierisdesignedtoprovideaverageannualdurabilityof99.999999999percentforanarchive.Itstoreseacharchiveinmultiplefacilitiesandmultipledevices.Unliketraditionalsystems,whichcanrequirelaboriousdataverificationandmanualrepair,AmazonGlacierperformsregular,systematicdataintegritychecksandisbuilttobeself-healing.
DataAccessOnlyyouraccountcanaccessyourdatainAmazonGlacier.TocontrolaccesstoyourdatainAmazonGlacier,youcanuseAWSIAMtospecifywhichuserswithinyouraccounthaverightstooperationsonagivenvault.
AWSStorageGatewaySecurityTheAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutouploaddatasecurelytoAWSscalable,reliable,andsecureAmazonS3storageserviceforcost-effectivebackupandrapiddisasterrecovery.
DataTransferDataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSL.
DataStorageThedataisstoredencryptedinAmazonS3usingAES256,asymmetrickeyencryptionstandardusing256-bitencryptionkeys.TheAWSStorageGatewayonlyuploadsdatathathaschanged,minimizingtheamountofdatasentovertheInternet.
DatabaseAWSprovidesanumberofdatabasesolutionsfordevelopersandbusinessesfrommanagedrelationalandNoSQLdatabaseservices,toin-memorycachingasaserviceandpetabyte-scaledatawarehouseservice.
AmazonDynamoDBSecurityAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.AmazonDynamoDBenablesyoutooffloadtheadministrativeburdensofoperatingandscalingdistributeddatabasestoAWS,soyoudon’thavetoworryabouthardwareprovisioning,setupandconfiguration,replication,softwarepatching,orclusterscaling.
Youcancreateadatabasetablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofserverstohandletherequestcapacityyouspecifiedandtheamountofdatastored,whilemaintainingconsistent,fastperformance.AlldataitemsarestoredonSolidStateDrives(SSDs)andareautomaticallyreplicatedacrossmultipleAvailabilityZonesinaregiontoprovidebuilt-inhighavailabilityanddatadurability.
YoucansetupautomaticbackupsusingaspecialtemplateinAWSDataPipelinethatwascreatedjustforcopyingAmazonDynamoDBtables.Youcanchoosefullorincrementalbackupstoatableinthesameregionoradifferentregion.YoucanusethecopyfordisasterrecoveryintheeventthatanerrorinyourcodedamagestheoriginaltableortofederateAmazonDynamoDBdataacrossregionstosupportamulti-regionapplication.
TocontrolwhocanusetheAmazonDynamoDBresourcesandAPI,yousetuppermissionsinAWSIAM.Inadditiontocontrollingaccessattheresource-levelwithIAM,youcanalsocontrolaccessatthedatabaselevel—youcancreatedatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.Thesedatabase-levelpermissionsarecalledfine-grainedaccesscontrols,andyoucreatethemusinganIAMpolicythatspecifiesunderwhatcircumstancesauserorapplicationcanaccessanAmazonDynamoDBtable.TheIAMpolicycanrestrictaccesstoindividualitemsinatable,accesstotheattributesinthoseitems,orbothatthesametime.
Inadditiontorequiringdatabaseanduserpermissions,eachrequesttotheAmazonDynamoDBservicemustcontainavalidHMAC-SHA-256signatureortherequestisrejected.TheAWSSDKsautomaticallysignyourrequests;however,ifyouwanttowriteyourownHTTPPOSTrequests,youmustprovidethesignatureintheheaderofyourrequesttoAmazonDynamoDB.Tocalculatethesignature,youmustrequesttemporarysecuritycredentialsfrom
theAWSSecurityTokenService.UsethetemporarysecuritycredentialstosignyourrequeststoAmazonDynamoDB.AmazonDynamoDBisaccessibleviaSSL-encryptedendpoints,andtheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.
AmazonRelationalDatabaseService(AmazonRDS)SecurityAmazonRelationalDatabaseService(AmazonRDS)allowsyoutoquicklycreatearelationalDatabaseInstance(DBInstance)andflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSmanagesthedatabaseinstanceonyourbehalfbyperformingbackups,handlingfailover,andmaintainingthedatabasesoftware.Asofthetimeofthiswriting,AmazonRDSisavailableforMySQL,Oracle,MicrosoftSQLServer,MariaDB,AmazonAurora,andPostgreSQLdatabaseengines.
AmazonRDShasmultiplefeaturesthatenhancereliabilityforcriticalproductiondatabases,includingDBsecuritygroups,permissions,SSLconnections,automatedbackups,DBsnapshots,andmultipleAvailabilityZone(Multi-AZ)deployments.DBInstancescanalsobedeployedinanAmazonVPCforadditionalnetworkisolation.
AccessControlWhenyoufirstcreateaDBInstancewithinAmazonRDS,youwillcreateamasteruseraccount,whichisusedonlywithinthecontextofAmazonRDStocontrolaccesstoyourDBInstance(s).ThemasteruseraccountisanativedatabaseuseraccountthatallowsyoutologontoyourDBInstancewithalldatabaseprivileges.YoucanspecifythemasterusernameandpasswordyouwantassociatedwitheachDBInstancewhenyoucreatetheDBInstance.AfteryouhavecreatedyourDBInstance,youcanconnecttothedatabaseusingthemasterusercredentials.Subsequently,youcancreateadditionaluseraccountssothatyoucanrestrictwhocanaccessyourDBInstance.
YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whicharesimilartoAmazonEC2securitygroupsbutnotinterchangeable.DBsecuritygroupsactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.DBsecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.Therearetwowaysofdoingthis:
AuthorizinganetworkIPrange
AuthorizinganexistingAmazonEC2securitygroup
DBsecuritygroupsonlyallowaccesstothedatabaseserverport(allothersareblocked)andcanbeupdatedwithoutrestartingtheAmazonRDSDBInstance,whichgivesyouseamlesscontroloftheirdatabaseaccess.
UsingAWSIAM,youcanfurthercontrolaccesstoyourAmazonRDSDBinstances.AWSIAMenablesyoutocontrolwhatAmazonRDSoperationseachindividualAWSIAMuserhaspermissiontocall.
NetworkIsolationForadditionalnetworkaccesscontrol,youcanrunyourDBInstancesinanAmazonVPC.AmazonVPCenablesyoutoisolateyourDBInstancesbyspecifyingtheIPrangeyouwanttouseandconnecttoyourexistingITinfrastructurethroughindustry-standardencryptedIPsecVPN.RunningAmazonRDSinaVPCenablesyoutohaveaDBinstancewithinaprivatesubnet.YoucanalsosetupavirtualprivategatewaythatextendsyourcorporatenetworkintoyourVPC,andallowsaccesstotheRDSDBinstanceinthatVPC.
ForMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregion,willallow
AmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucancreateDBsubnetgroups,whicharecollectionsofsubnetsthatyoumaywanttodesignateforyourAmazonRDSDBInstancesinanAmazonVPC.EachDBsubnetgroupshouldhaveatleastonesubnetforeveryAvailabilityZoneinagivenregion.Inthiscase,whenyoucreateaDBInstanceinanAmazonVPC,youselectaDBsubnetgroup;AmazonRDSthenusesthatDBsubnetgroupandyourpreferredAvailabilityZonetoselectasubnetandanIPaddresswithinthatsubnet.AmazonRDScreatesandassociatesanElasticNetworkInterfacetoyourDBInstancewiththatIPaddress.
DBInstancesdeployedwithinanAmazonVPCcanbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheAmazonVPCviaVPNorbastionhoststhatyoucanlaunchinyourpublicsubnet.Touseabastionhost,youwillneedtosetupapublicsubnetwithanAmazonEC2instancethatactsasaSSHBastion.ThispublicsubnetmusthaveanInternetgatewayandroutingrulesthatallowtraffictobedirectedviatheSSHhost,whichmustthenforwardrequeststotheprivateIPaddressofyourAmazonRDSDBInstance.
DBsecuritygroupscanbeusedtohelpsecureDBInstanceswithinanAmazonVPC.Inaddition,networktrafficenteringandexitingeachsubnetcanbeallowedordeniedvianetworkACLs.AllnetworktrafficenteringorexitingyourAmazonVPCviayourIPsecVPNconnectioncanbeinspectedbyyouron-premisessecurityinfrastructure,includingnetworkfirewallsandintrusiondetectionsystems.
EncryptionYoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL.ForMySQLandSQLServer,AmazonRDScreatesanSSLcertificateandinstallsthecertificateontheDBInstancewhentheinstanceisprovisioned.ForMySQL,youlaunchtheMySQLclientusingthe--ssl_caparametertoreferencethepublickeyinordertoencryptconnections.ForSQLServer,downloadthepublickeyandimportthecertificateintoyourWindowsoperatingsystem.OracleRDSusesOraclenativenetworkencryptionwithaDBInstance.YousimplyaddthenativenetworkencryptionoptiontoanoptiongroupandassociatethatoptiongroupwiththeDBInstance.Afteranencryptedconnectionisestablished,datatransferredbetweentheDBInstanceandyourapplicationwillbeencryptedduringtransfer.YoucanalsorequireyourDBInstancetoacceptonlyencryptedconnections.
AmazonRDSsupportsTransparentDataEncryption(TDE)forSQLServer(SQLServerEnterpriseEdition)andOracle(partoftheOracleAdvancedSecurityoptionavailableinOracleEnterpriseEdition).TheTDEfeatureautomaticallyencryptsdatabeforeitiswrittentostorageandautomaticallydecryptsdatawhenitisreadfromstorage.IfyourequireyourMySQLdatatobeencryptedwhileatrestinthedatabase,yourapplicationmustmanagetheencryptionanddecryptionofdata.
NotethatSSLsupportwithinAmazonRDSisforencryptingtheconnectionbetweenyourapplicationandyourDBInstance;itshouldnotbereliedonforauthenticatingtheDBInstanceitself.WhileSSLofferssecuritybenefits,beawarethatSSLencryptionisacomputeintensiveoperationandwillincreasethelatencyofyourdatabaseconnection.
AutomatedBackupsandDBSnapshotsAmazonRDSprovidestwodifferentmethodsforbackingupandrestoringyourDBInstance(s):automatedbackupsandDatabaseSnapshots(DBSnapshots).Turnedonbydefault,theautomatedbackupfeatureofAmazonRDSenablespoint-in-timerecoveryforyourDBInstance.AmazonRDSwillbackupyourdatabaseandtransactionlogsandstorebothforauser-specifiedretentionperiod.Thisallows
youtorestoreyourDBInstancetoanysecondduringyourretentionperiod,uptothelastfiveminutes.Yourautomaticbackupretentionperiodcanbeconfiguredtoupto35days.
DBSnapshotsareuser-initiatedbackupsofyourDBInstance.ThesefulldatabasebackupsarestoredbyAmazonRDSuntilyouexplicitlydeletethem.YoucancopyDBsnapshotsofanysizeandmovethembetweenanyofAWSpublicregions,orcopythesamesnapshottomultipleregionssimultaneously.YoucanthencreateanewDBInstancefromaDBSnapshotwheneveryoudesire.
Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup.ThisI/Osuspensiontypicallylastsafewminutes.ThisI/OsuspensionisavoidedwithMulti-AZDBdeployments,becausethebackupistakenfromthestandby.
DBInstanceReplicationAWSCloudcomputingresourcesarehousedinhighlyavailabledatacenterfacilitiesindifferentregionsoftheworld,andeachregioncontainsmultipledistinctlocationscalledAvailabilityZones.EachAvailabilityZoneisengineeredtobeisolatedfromfailuresinotherAvailabilityZonesandprovideinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.
ToarchitectforhighavailabilityofyourOracle,PostgreSQL,orMySQLdatabases,youcanrunyourAmazonRDSDBInstanceinseveralAvailabilityZones,anoptioncalledaMulti-AZdeployment.Whenyouselectthisoption,AWSautomaticallyprovisionsandmaintainsasynchronousstandbyreplicaofyourDBInstanceinadifferentAvailabilityZone.TheprimaryDBInstanceissynchronouslyreplicatedacrossAvailabilityZonestothestandbyreplica.IntheeventofDBInstanceorAvailabilityZonefailure,AmazonRDSwillautomaticallyfailovertothestandbysothatdatabaseoperationscanresumequicklywithoutadministrativeintervention.
ForcustomerswhouseMySQLandneedtoscalebeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads,AmazonRDSprovidesareadreplicaoption.Afteryoucreateareadreplica,databaseupdatesonthesourceDBInstancearereplicatedtothereadreplicausingMySQL’snative,asynchronousreplication.YoucancreatemultiplereadreplicasforagivensourceDBinstanceanddistributeyourapplication’sreadtrafficamongthem.ReadreplicascanbecreatedwithMulti-AZdeploymentstogainreadscalingbenefitsinadditiontotheenhanceddatabasewriteavailabilityanddatadurabilityprovidedbyMulti-AZdeployments.
AutomaticSoftwarePatchingAmazonRDSwillmakesurethattherelationaldatabasesoftwarepoweringyourdeploymentstaysup-to-datewiththelatestpatches.Whennecessary,patchesareappliedduringamaintenancewindowthatyoucancontrol.YoucanthinkoftheAmazonRDSmaintenancewindowasanopportunitytocontrolwhenDBInstancemodifications(suchasscalingDBInstanceclass)andsoftwarepatchingoccur,intheeventeitherarerequestedorrequired.Ifamaintenanceeventisscheduledforagivenweek,itwillbeinitiatedandcompletedatsomepointduringthe30-minutemaintenancewindowyouidentify.
TheonlymaintenanceeventsthatrequireAmazonRDStotakeyourDBInstanceofflinearescalecomputeoperations(whichgenerallytakeonlyafewminutesfromstarttofinish)orrequiredsoftwarepatching.Requiredpatchingisautomaticallyscheduledonlyforpatchesthatarerelatedtosecurityanddurability.Suchpatchingoccursinfrequently(typicallyonceeveryfewmonths)andshouldseldomrequiremorethanafractionofyourmaintenance
window.IfyoudonotspecifyapreferredweeklymaintenancewindowwhencreatingyourDBInstance,a30-minutedefaultvalueisassigned.Ifyouwanttomodifywhenmaintenanceisperformedonyourbehalf,youcandosobymodifyingyourDBInstanceintheAWSManagementConsoleorbyusingtheModifyDBInstanceAPI.EachofyourDBInstancescanhavedifferentpreferredmaintenancewindows,ifyousochoose.
RunningyourDBInstanceinaMulti-AZdeploymentcanfurtherreducetheimpactofamaintenanceevent,asAmazonRDSwillconductmaintenanceviathefollowingsteps:
1. Performmaintenanceonstandby.
2. Promotestandbytoprimary.
3. Performmaintenanceonoldprimary,whichbecomesthenewstandby.
WhenanAmazonRDSDBInstancedeletionAPI(DeleteDBInstance)isrun,theDBInstanceismarkedfordeletion.Aftertheinstancenolongerindicatesdeletingstatus,ithasbeenremoved.Atthispoint,theinstanceisnolongeraccessible,andunlessafinalsnapshotcopywasaskedfor,itcannotberestoredandwillnotbelistedbyanyofthetoolsorAPIs.
AmazonRedshiftSecurityAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theservicehasbeenarchitectednotonlytoscaleupordownrapidly,butalsotoimprovequeryspeedssignificantlyevenonextremelylargedatasets.Toincreaseperformance,AmazonRedshiftusestechniquessuchascolumnarstorage,datacompression,andzonemapstoreducetheamountofI/Oneededtoperformqueries.ItalsohasaMassivelyParallelProcessing(MPP)architecture,parallelizinganddistributingSQLoperationstotakeadvantageofallavailableresources.
ClusterAccessBydefault,clustersthatyoucreateareclosedtoeveryone.AmazonRedshiftenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.YoucanalsorunAmazonRedshiftinsideanAmazonVPCtoisolateyourdatawarehouseclusterinyourownvirtualnetworkandconnectittoyourexistingITinfrastructureusingindustry-standardencryptedIPsecVPN.
TheAWSaccountthatcreatestheclusterhasfullaccesstothecluster.WithinyourAWSaccount,youcanuseAWSIAMtocreateuseraccountsandmanagepermissionsforthoseaccounts.ByusingIAM,youcangrantdifferentuserspermissiontoperformonlytheclusteroperationsthatarenecessaryfortheirwork.Likealldatabases,youmustgrantpermissioninAmazonRedshiftatthedatabaselevelinadditiontograntingaccessattheresourcelevel.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.However,userscanseedataonlyinthetablerowsthatweregeneratedbytheirownactivities;rowsgeneratedbyotherusersarenotvisibletothem.
Theuserwhocreatesadatabaseobjectisitsowner.Bydefault,onlyasuperuserortheownerofanobjectcanquery,modify,orgrantpermissionsontheobject.Foruserstouseanobject,youmustgrantthenecessarypermissionstotheuserorthegroupthatcontainstheuser.Inaddition,onlytheownerofanobjectcanmodifyordeleteit.
DataBackupsAmazonRedshiftdistributesyourdataacrossallcomputenodesinacluster.Whenyourunaclusterwithatleasttwocomputenodes,dataoneachnodewillalwaysbemirroredondisksonanothernode,reducingtheriskofdataloss.Inaddition,alldatawrittentoanodeinyourclusteriscontinuouslybackeduptoAmazonS3usingsnapshots.AmazonRedshiftstoresyoursnapshotsforauser-definedperiod,whichcanbefrom1to35days.Youcanalsotakeyourownsnapshotsatanytime;thesesnapshotsleverageallexistingsystemsnapshotsandareretaineduntilyouexplicitlydeletethem.
AmazonRedshiftcontinuouslymonitorsthehealthoftheclusterandautomaticallyre-replicatesdatafromfaileddrivesandreplacesnodesasnecessary.Allofthishappenswithoutanyeffortonyourpart,althoughyoumayseeaslightperformancedegradationduringthere-replicationprocess.
YoucanuseanysystemorusersnapshottorestoreyourclusterusingtheAWSManagementConsoleortheAmazonRedshiftAPIs.Yourclusterisavailableassoonasthesystemmetadatahasbeenrestored,andyoucanstartrunningquerieswhileuserdataisspooleddowninthebackground.
DataEncryptionWhencreatingacluster,youcanchoosetoencryptitinordertoprovideadditionalprotectionforyourdataatrest.Whenyouenableencryptioninyourcluster,AmazonRedshiftstoresalldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandanybackups.
AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.
Dataencryptionkeysencryptdatablocksinthecluster.Eachdatablockisassignedarandomly-generatedAES256key.Thesekeysareencryptedbyusingthedatabasekeyforthecluster.
Thedatabasekeyencryptsdataencryptionkeysinthecluster.Thedatabasekeyisarandomly-generatedAES-256key.ItisstoredondiskinaseparatenetworkfromtheAmazonRedshiftclusterandencryptedbyamasterkey.AmazonRedshiftpassesthedatabasekeyacrossasecurechannelandkeepsitinmemoryinthecluster.
TheclusterkeyencryptsthedatabasekeyfortheAmazonRedshiftcluster.YoucanuseeitherAWSoraHardwareSecurityModule(HSM)tostoretheclusterkey.HSMsprovidedirectcontrolofkeygenerationandmanagementandmakekeymanagementseparateanddistinctfromtheapplicationandthedatabase.
ThemasterkeyencryptstheclusterkeyifitisstoredinAWS.Themasterkeyencryptsthecluster-key-encrypteddatabasekeyiftheclusterkeyisstoredinanHSM.
YoucanhaveAmazonRedshiftrotatetheencryptionkeysforyourencryptedclustersatanytime.Aspartoftherotationprocess,keysarealsoupdatedforallofthecluster’sautomaticandmanualsnapshots.Notethatenablingencryptioninyourclusterwillimpactperformance,eventhoughitishardwareaccelerated.
Encryptionalsoappliestobackups.Whenyou’rerestoringfromanencryptedsnapshot,thenewclusterwillbeencryptedaswell.
ToencryptyourtableloaddatafileswhenyouuploadthemtoAmazonS3,youcanuse
AmazonS3server-sideencryption.WhenyouloadthedatafromAmazonS3,theCOPYcommandwilldecryptthedataasitloadsthetable.
DatabaseAuditLoggingAmazonRedshiftlogsallSQLoperations,includingconnectionattempts,queries,andchangestoyourdatabase.YoucanaccesstheselogsusingSQLqueriesagainstsystemtablesorchoosetohavethemdownloadedtoasecureAmazonS3bucket.Youcanthenusetheseauditlogstomonitoryourclusterforsecurityandtroubleshootingpurposes.
AutomaticSoftwarePatchingAmazonRedshiftmanagesalltheworkofsettingup,operating,andscalingyourdatawarehouse,includingprovisioningcapacity,monitoringthecluster,andapplyingpatchesandupgradestotheAmazonRedshiftengine.Patchesareappliedonlyduringspecifiedmaintenancewindows.
SSLConnectionsToprotectyourdataintransitwithintheAWSCloud,AmazonRedshiftuseshardware-acceleratedSSLtocommunicatewithAmazonS3orAmazonDynamoDBforCOPY,UNLOAD,backup,andrestoreoperations.YoucanencrypttheconnectionbetweenyourclientandtheclusterbyspecifyingSSLintheparametergroupassociatedwiththecluster.TohaveyourclientsalsoauthenticatetheAmazonRedshiftserver,youcaninstallthepublickey(.pemfile)fortheSSLcertificateonyourclientandusethekeytoconnecttoyourclusters.
AmazonRedshiftoffersthenewer,strongerciphersuitesthatusetheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocol.ECDHEallowsSSLclientstoprovidePerfectForwardSecrecybetweentheclientandtheAmazonRedshiftcluster.PerfectForwardSecrecyusessessionkeysthatareephemeralandnotstoredanywhere,whichpreventsthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.YoudonotneedtoconfigureanythinginAmazonRedshifttoenableECDHE;ifyouconnectfromanSQLclienttoolthatusesECDHEtoencryptcommunicationbetweentheclientandserver,AmazonRedshiftwillusetheprovidedcipherlisttomaketheappropriateconnection.
AmazonElastiCacheSecurityAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieveinformationfromafast,managed,in-memorycachingsystem,insteadofrelyingentirelyonslowerdisk-baseddatabases.Itcanbeusedtoimprovelatencyandthroughputsignificantlyformanyread-heavyapplicationworkloads(suchassocialnetworking,gaming,mediasharing,andQandAportals)orcompute-intensiveworkloads(suchasarecommendationengine).Cachingimprovesapplicationperformancebystoringcriticalpiecesofdatainmemoryforlow-latencyaccess.CachedinformationmayincludetheresultsofI/O-intensivedatabasequeriesortheresultsofcomputationally-intensivecalculations.
TheAmazonElastiCacheserviceautomatestime-consumingmanagementtasksforin-memorycacheenvironments,suchaspatchmanagement,failuredetection,andrecovery.ItworksinconjunctionwithotherAWSCloudservices(suchasAmazonEC2,AmazonCloudWatch,andAmazonSNS)toprovideasecure,high-performance,andmanagedin-memorycache.Forexample,anapplicationrunninginAmazonEC2cansecurelyaccessanAmazonElastiCacheclusterinthesameregionwithverylowlatency.
UsingtheAmazonElastiCacheservice,youcreateaCacheCluster,whichisacollectionofoneormoreCacheNodes,eachrunninganinstanceoftheMemcachedservice.ACacheNodeisafixed-sizechunkofsecure,network-attachedRAM.EachCacheNoderunsaninstanceoftheMemcachedserviceandhasitsownDNSnameandport.MultipletypesofCacheNodesaresupported,eachwithvaryingamountsofassociatedmemory.ACacheClustercanbesetupwithaspecificnumberofCacheNodesandaCacheParameterGroupthatcontrolsthepropertiesforeachCacheNode.AllCacheNodeswithinaCacheClusteraredesignedtobeofthesameNodeTypeandhavethesameparameterandsecuritygroupsettings.
DataAccessAmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.Bydefault,networkaccessisturnedofftoyourCacheClusters.IfyouwantyourapplicationstoaccessyourCacheCluster,youmustexplicitlyenableaccessfromhostsinspecificAmazonEC2securitygroups.Afteringressrulesareconfigured,thesamerulesapplytoallCacheClustersassociatedwiththatCacheSecurityGroup.
ToallownetworkaccesstoyourCacheCluster,createaCacheSecurityGroupandusetheAuthorizeCacheSecurityGroupIngressAPIorCLIcommandtoauthorizethedesiredAmazonEC2securitygroup(whichinturnspecifiestheAmazonEC2instancesallowed).IP-rangebasedaccesscontroliscurrentlynotenabledforCacheClusters.AllclientstoaCacheClustermustbewithintheAmazonEC2network,andauthorizedviaCacheSecurityGroups.
AmazonElastiCacheforRedisprovidesbackupandrestorefunctionality,whereyoucancreateasnapshotofyourentireRedisclusterasitexistsataspecificpointintime.Youcanscheduleautomatic,recurringdailysnapshots,oryoucancreateamanualsnapshotatanytime.Forautomaticsnapshots,youspecifyaretentionperiod;manualsnapshotsareretaineduntilyoudeletethem.ThesnapshotsarestoredinAmazonS3withhighdurability,andcanbeusedforwarmstarts,backups,andarchiving.
ApplicationServicesAWSoffersavarietyofmanagedservicestousewithyourapplications,includingservicesthatprovideapplicationstreaming,queueing,pushnotification,emaildelivery,search,andtranscoding.
AmazonSimpleQueueService(AmazonSQS)SecurityAmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2instancesoracombinationofboth.WithAmazonSQS,youcansendanynumberofmessagestoanAmazonSQSqueueatanytimefromanycomponent.Themessagescanberetrievedfromthesamecomponentoradifferentone,rightawayoratalatertime(within14days).Messagesarehighlydurable;eachmessageispersistentlystoredinhighlyavailable,highlyreliablequeues.Multipleprocessescanread/writefrom/toanAmazonSQSqueueatthesametimewithoutinterferingwitheachother.
DataAccessAmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandqueuesforwhichtheyhavebeen
grantedaccessviapolicy.Bydefault,accesstoeachindividualqueueisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoaqueue,usingeitheranAmazonSQS-generatedpolicyorapolicyyouwrite.
EncryptionAmazonSQSisaccessibleviaSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.EncryptingmessagesbeforesendingthemtoAmazonSQShelpsprotectagainstaccesstosensitivecustomerdatabyunauthorizedpersons,includingAWS.
AmazonSimpleNotificationService(AmazonSNS)SecurityAmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSprovidesasimplewebservicesinterfacethatcanbeusedtocreatetopicsthatcustomerswanttonotifyapplications(orpeople)about,subscribeclientstothesetopics,publishmessages,andhavethesemessagesdeliveredoverclients’protocolofchoice(forexample,HTTP/HTTPS,email).
AmazonSNSdeliversnotificationstoclientsusingapushmechanismthateliminatestheneedtocheckorpollfornewinformationandupdatesperiodically.AmazonSNScanbeleveragedtobuildhighlyreliable,event-drivenworkflowsandmessagingapplicationswithouttheneedforcomplexmiddlewareandapplicationmanagement.ThepotentialusesforAmazonSNSincludemonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andmanyothers.
DataAccessAmazonSNSprovidesaccesscontrolmechanismssothattopicsandmessagesaresecuredagainstunauthorizedaccess.Topicownerscansetpoliciesforatopicthatrestrictswhocanpublishorsubscribetoatopic.Additionally,topicownerscanencrypttransmissionbyspecifyingthatthedeliverymechanismmustbeHTTPS.AmazonSNSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandtopicsforwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualtopicisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoAmazonSNS,usingeitheranAmazonSNS-generatedpolicyorapolicyyouwrite.
AnalyticsServicesAWSprovidescloud-basedanalyticsservicestohelpyouprocessandanalyzeanyvolumeofdata,whetheryourneedisformanagedHadoopclusters,real-timestreamingdata,petabytescaledatawarehousing,ororchestration.
AmazonElasticMapReduce(AmazonEMR)SecurityAmazonElasticMapReduce(AmazonEMR)isamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamong
severalservers.ItusesanenhancedversionoftheApacheHadoopframeworkrunningontheweb-scaleinfrastructureofAmazonEC2andAmazonS3.YousimplyuploadyourinputdataandadataprocessingapplicationintoAmazonS3.AmazonEMRthenlaunchesthenumberofAmazonEC2instancesyouspecify.TheservicebeginsthejobflowexecutionwhilepullingtheinputdatafromAmazonS3intothelaunchedAmazonEC2instances.Afterthejobflowisfinished,AmazonEMRtransferstheoutputdatatoAmazonS3,whereyoucanthenretrieveitoruseitasinputinanotherjobflow.
Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutoSSHintotheinstancesusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptonotallowaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupswithinyouraccount,youcanreconfigurethemusingthestandardEC2toolsordashboard.Toprotectcustomerinputandoutputdatasets,AmazonEMRtransfersdatatoandfromAmazonS3usingSSL.
AmazonEMRprovidesseveralwaystocontrolaccesstotheresourcesofyourcluster.YoucanuseAWSIAMtocreateuseraccountsandrolesandconfigurepermissionsthatcontrolwhichAWSfeaturesthoseusersandrolescanaccess.Whenyoulaunchacluster,youcanassociateanAmazonEC2keypairwiththecluster,whichyoucanthenusewhenyouconnecttotheclusterusingSSH.YoucanalsosetpermissionsthatallowusersotherthanthedefaultHadoopusertosubmitjobstoyourcluster.
Bydefault,ifanIAMuserlaunchesacluster,thatclusterishiddenfromotherIAMusersontheAWSaccount.ThisfilteringoccursonallAmazonEMRinterfaces(theAWSManagementConsole,CLI,API,andSDKs)andhelpspreventIAMusersfromaccessingandinadvertentlychangingclusterscreatedbyotherIAMusers.
Foranadditionallayerofprotection,youcanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.Thisallowsyoutocontrolaccesstotheentiresubnet.YoucanalsolaunchtheclusterintoanAmazonVPCandenabletheclustertoaccessresourcesonyourinternalnetworkusingaVPNconnection.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.
AmazonKinesisSecurityAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.Itcanacceptanyamountofdata,fromanynumberofsources,scalingupanddownasneeded.YoucanuseAmazonKinesisinsituationsthatcallforlarge-scale,real-timedataingestionandprocessing,suchasserverlogs,socialmedia,ormarketdatafeeds,andwebclickstreamdata.ApplicationsreadandwritedatarecordstoAmazonKinesisinstreams.YoucancreateanynumberofAmazonKinesisstreamstocapture,store,andtransportdata.
YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsby
creatingusersunderyourAWSaccountusingAWSIAM,andcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TofacilitaterunningyourproducerorconsumerapplicationsonanAmazonEC2instance,youcanconfigurethatinstancewithanIAMrole.Thatway,AWScredentialsthatreflectthepermissionsassociatedwiththeIAMrolearemadeavailabletoapplicationsontheinstance,whichmeansyoudon’thavetouseyourlong-termAWSsecuritycredentials.Roleshavetheaddedbenefitofprovidingtemporarycredentialsthatexpirewithinashorttimeframe,whichaddsanadditionalmeasureofprotection.
TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpoint(kinesis.us-east-1.amazonaws.com)tohelpensuresecuretransmissionofyourdatatoAWS.YoumustconnecttothatendpointtoaccessAmazonKinesis,butyoucanthenusetheAPItodirectAmazonKinesistocreateastreaminanyAWSregion.
DeploymentandManagementServicesAWSprovidesavarietyoftoolstohelpwiththedeploymentandmanagementofyourapplications.ThisincludesservicesthatallowyoutocreateindividualuseraccountswithcredentialsforaccesstoAWSservices.ItalsoincludesservicesforcreatingandupdatingstacksofAWSresources,deployingapplicationsonthoseresources,andmonitoringthehealthofthoseAWSresources.OthertoolshelpyoumanagecryptographickeysusingHSMsandlogAWSAPIactivityforsecurityandcompliancepurposes.
AWSIdentityandAccessManagement(IAM)SecurityAWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMeliminatestheneedtosharepasswordsorkeysandmakesiteasytoenableordisableauser’saccessasappropriate.
AWSIAMenablesyoutoimplementsecuritybestpractices,suchasleastprivilege,bygrantinguniquecredentialstoeveryuserwithinyourAWSaccountandonlygrantingpermissiontoaccesstheAWSCloudservicesandresourcesrequiredfortheuserstoperformtheirjobs.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.
AWSIAMisalsointegratedwithAWSMarketplacesothatyoucancontrolwhoinyourorganizationcansubscribetothesoftwareandservicesofferedinAWSMarketplace.BecausesubscribingtocertainsoftwareinAWSMarketplacelaunchesanAmazonEC2instancetorunthesoftware,thisisanimportantaccesscontrolfeature.UsingIAMtocontrolaccesstoAWSMarketplacealsoenablesAWSaccountownerstohavefine-grainedcontroloverusageandsoftwarecosts.
AWSIAMenablesyoutominimizetheuseofyourAWSaccountcredentials.AfteryoucreateIAMuseraccounts,allinteractionswithAWSCloudservicesandresourcesshouldoccurwithIAMusersecuritycredentials.
RolesAnIAMroleusestemporarysecuritycredentialstoallowyoutodelegateaccesstousersorservicesthatnormallydon’thaveaccesstoyourAWSresources.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecific
IAMuserorgroup.Anauthorizedentity(forexample,mobileuserorAmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.Thiscanbeparticularlyusefulinprovidinglimited,controlledaccessincertainsituations:
Federated(Non-AWS)UserAccessFederatedusersareusers(orapplications)whodonothaveAWSaccounts.Withroles,youcangivethemaccesstoyourAWSresourcesforalimitedamountoftime.Thisisusefulifyouhavenon-AWSusersthatyoucanauthenticatewithanexternalservice,suchasMicrosoftActiveDirectory,LightweightDirectoryAccessProtocol(LDAP),orKerberos.ThetemporaryAWScredentialsusedwiththerolesprovideidentityfederationbetweenAWSandyournon-AWSusersinyourcorporateidentityandauthorizationsystem.
SecurityAssertionMarkupLanguage(SAML)2.0IfyourorganizationsupportsSAML2.0,youcancreatetrustbetweenyourorganizationasanIdentityProvider(IdP)andotherorganizationsasserviceproviders.InAWS,youcanconfigureAWSastheserviceprovideranduseSAMLtoprovideyouruserswithfederatedSingle-SignOn(SSO)totheAWSManagementConsoleortogetfederatedaccesstocallAWSAPIs.
Rolesarealsousefulifyoucreateamobileorweb-basedapplicationthataccessesAWSresources.AWSresourcesrequiresecuritycredentialsforprogrammaticrequests;however,youshouldn’tembedlong-termsecuritycredentialsinyourapplicationbecausetheyareaccessibletotheapplication’susersandcanbedifficulttorotate.Instead,youcanletuserssignintoyourapplicationusingLoginwithAmazon,Facebook,orGoogleandthenusetheirauthenticationinformationtoassumearoleandgettemporarysecuritycredentials.
Cross-AccountAccessFororganizationsthatusemultipleAWSaccountstomanagetheirresources,youcansetuprolestoprovideuserswhohavepermissionsinoneaccounttoaccessresourcesunderanotheraccount.Fororganizationsthathavepersonnelwhoonlyrarelyneedaccesstoresourcesunderanotheraccount,usingroleshelpstoensurethatcredentialsareprovidedtemporarilyandonlyasneeded.
ApplicationsRunningonEC2InstancesThatNeedtoAccessAWSResourcesIfanapplicationrunsonanAmazonEC2instanceandneedstomakerequestsforAWSresources,suchasAmazonS3bucketsoraDynamoDBtable,itmusthavesecuritycredentials.UsingrolesinsteadofcreatingindividualIAMaccountsforeachapplicationoneachinstancecansavesignificanttimeforcustomerswhomanagealargenumberofinstancesoranelasticallyscalingfleetusingAWSAutoScaling.
Thetemporarycredentialsincludeasecuritytoken,anAccessKeyID,andaSecretAccessKey.Togiveauseraccesstocertainresources,youdistributethetemporarysecuritycredentialstotheusertowhomyouaregrantingtemporaryaccess.Whentheusermakescallstoyourresources,theuserpassesinthetokenandAccessKeyIDandsignstherequestwiththeSecretAccessKey.Thetokenwillnotworkwithdifferentaccesskeys.
Theuseoftemporarycredentialsprovidesadditionalprotectionforyoubecauseyoudon’thavetomanageordistributelong-termcredentialstotemporaryusers.Inaddition,thetemporarycredentialsgetautomaticallyloadedtothetargetinstancesoyoudon’thavetoembedthemsomewhereunsafelikeyourcode.Temporarycredentialsareautomaticallyrotatedorchangedmultipletimesadaywithoutanyactiononyourpartandarestoredsecurelybydefault.
MobileServices
AWSmobileservicesmakeiteasierforyoutobuild,ship,run,monitor,optimize,andscalecloud-poweredapplicationsformobiledevices.Theseservicesalsohelpyouauthenticateuserstoyourmobileapplication,synchronizedata,andcollectandanalyzeapplicationusage.
AmazonCognitoSecurityAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Itsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.Itprovidestemporary,limited-privilegecredentialsforbothauthenticatedandunauthenticateduserswithouthavingtomanageanyback-endinfrastructure.
AmazonCognitoworkswithwell-knownidentityproviderslikeGoogle,Facebook,andAmazontoauthenticateendusersofyourmobileandwebapplications.Youcantakeadvantageoftheidentificationandauthorizationfeaturesprovidedbytheseservicesinsteadofhavingtobuildandmaintainyourown.Yourapplicationauthenticateswithoneoftheseidentityprovidersusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfromtheproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.
TobeginusingAmazonCognito,youcreateanidentitypoolthroughtheAmazonCognitoconsole.TheidentitypoolisastoreofuseridentityinformationthatisspecifictoyourAWSaccount.Duringthecreationoftheidentitypool,youwillbeaskedtocreateanewIAMroleorpickanexistingoneforyourendusers.AnIAMroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity(forexample,mobileuser,AmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.
TheroleyouselecthasanimpactonwhichAWSCloudservicesyourenduserswillbeabletoaccesswiththetemporarycredentials.Bydefault,AmazonCognitocreatesanewrolewithlimitedpermissions;endusersonlyhaveaccesstotheAmazonCognitoSyncserviceandAmazonMobileAnalytics.IfyourapplicationneedsaccesstootherAWSresources,suchasAmazonS3orAmazonDynamoDB,youcanmodifyyourrolesdirectlyfromtheIAMconsole.
WithAmazonCognito,thereisnoneedtocreateindividualAWSaccountsorevenIAMaccountsforeveryoneofyourweb/mobileapplicationenduserswhowillneedtoaccessyourAWSresources.InconjunctionwithIAMroles,mobileuserscansecurelyaccessAWSresourcesandapplicationfeaturesandevensavedatatotheAWSCloudwithouthavingtocreateanaccountorlogin.Iftheychoosetocreateanaccountorloginlater,AmazonCognitowillmergedataandidentificationinformation.
BecauseAmazonCognitostoresdatalocallyandalsointheservice,yourenduserscancontinuetointeractwiththeirdataevenwhentheyareoffline.Theirofflinedatamaybestale,buttheycanimmediatelyretrieveanythingtheyputintothedatasetwhetherornottheyareonline.TheclientSDKmanagesalocalSQLitestoresothattheapplicationcanworkevenwhenitisnotconnected.TheSQLitestorefunctionsasacacheandisthetargetofallreadandwriteoperations.AmazonCognito’ssyncfacilitycomparesthelocalversionofthe
datatothecloudversionandpushesuporpullsdowndeltasasneeded.Notethatinordertosyncdataacrossdevices,youridentitypoolmustsupportauthenticatedidentities.Unauthenticatedidentitiesaretiedtothedevice,sounlessanenduserauthenticates,nodatacanbesyncedacrossmultipledevices.
WithAmazonCognito,yourapplicationcommunicatesdirectlywithasupportedpublicidentityprovider(Amazon,Facebook,orGoogle)toauthenticateusers.AmazonCognitodoesnotreceiveorstoreusercredentials,onlytheOAuthorOpenIDConnecttokenreceivedfromtheidentityprovider.AfterAmazonCognitoreceivesthetoken,itreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.EachAmazonCognitoidentityhasaccessonlytoitsowndatainthesyncstore,andthisdataisencryptedwhenstored.Inaddition,allidentitydataistransmittedoverHTTPS.TheuniqueAmazonCognitoidentifieronthedeviceisstoredintheappropriatesecurelocation.ForexampleoniOS,theAmazonCognitoidentifierisstoredintheiOSkeychain.UserdataiscachedinalocalSQLitedatabasewithintheapplication’ssandbox;ifyourequireadditionalsecurity,youcanencryptthisidentitydatainthelocalcachebyimplementingencryptioninyourapplication.
ApplicationsAWSapplicationsaremanagedservicesthatenableyoutoprovideyouruserswithsecure,centralizedstorageandworkareasinthecloud.
AmazonWorkSpacesSecurityAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.SimplychooseaWindows7bundlethatbestmeetstheneedsofyourusersandthenumberofWorkSpacesthatyouwanttolaunch.AftertheWorkSpacesareready,usersreceiveanemailinformingthemwheretheycandownloadtherelevantclientandlogintotheirWorkSpace.Theycanthenaccesstheircloud-baseddesktopsfromavarietyofendpointdevices,includingPCs,laptops,andmobiledevices.However,yourorganization’sdataisneversenttoorstoredontheend-userdevicebecauseAmazonWorkSpacesusesPC-over-IP(PCoIP),whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheusers’desktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.
InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.WhenyouintegrateAmazonWorkSpaceswithyourcorporateActiveDirectory,eachWorkSpacejoinsyourActiveDirectorydomainandcanbemanagedjustlikeanyotherdesktopinyourorganization.ThismeansthatyoucanuseActiveDirectoryGroupPoliciestomanageyourusersWorkSpacestospecifyconfigurationoptionsthatcontrolthedesktop.IfyouchoosenottouseActiveDirectoryorothertypeofon-premisesdirectorytomanageyouruserWorkSpaces,youcancreateaprivateclouddirectorywithinAmazonWorkSpacesthatyoucanuseforadministration.
Toprovideanadditionallayerofsecurity,youcanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRemoteAuthenticationDialInUserService(RADIUS)serveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-
CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.
EachWorkSpaceresidesonitsownAmazonEC2instancewithinanAmazonVPC.YoucancreateWorkSpacesinanAmazonVPCyoualreadyownorhavetheAmazonWorkSpacesservicecreateoneforyouautomaticallyusingtheAmazonWorkSpacesQuickStartoption.WhenyouusetheQuickStartoption,AmazonWorkSpacesnotonlycreatestheAmazonVPC,butitalsoperformsseveralotherprovisioningandconfigurationtasksforyou,suchascreatinganInternetGatewayfortheAmazonVPC,settingupadirectorywithintheAmazonVPCthatisusedtostoreuserandWorkSpaceinformation,creatingadirectoryadministratoraccount,creatingthespecifieduseraccountsandaddingthemtothedirectory,andcreatingtheAmazonWorkSpacesinstances.OrtheAmazonVPCcanbeconnectedtoanon-premisesnetworkusingasecureVPNconnectiontoallowaccesstoanexistingon-premisesActiveDirectoryandotherintranetresources.YoucanaddasecuritygroupthatyoucreateinyourAmazonVPCtoalloftheWorkSpacesthatbelongtoyourActiveDirectory.ThisallowsyoutocontrolnetworkaccessfromAmazonWorkSpacesinyourAmazonVPCtootherresourcesinyourAmazonVPCandon-premisesnetwork.
PersistentstorageforAmazonWorkSpacesisprovidedbyAmazonEBSandisautomaticallybackeduptwiceadaytoAmazonS3.IfAmazonWorkSpacesSyncisenabledonaWorkSpace,thefolderauserchoosestosyncwillbecontinuouslybackedupandstoredinAmazonS3.YoucanalsouseAmazonWorkSpacesSynconaMacorPCtosyncdocumentstoorfromyourWorkSpacesothatyoucanalwayshaveaccesstoyourdataregardlessofthedesktopcomputeryouareusing.
Becauseitisamanagedservice,AWStakescareofseveralsecurityandmaintenancetaskslikedailybackupsandpatching.UpdatesaredeliveredautomaticallytoyourWorkSpacesduringaweeklymaintenancewindow.Youcancontrolhowpatchingisconfiguredforauser’sWorkSpace.Bydefault,WindowsUpdateisturnedon,butyouhavetheabilitytocustomizethesesettingsoruseanalternativepatchmanagementapproachifyoudesire.FortheunderlyingOS,WindowsUpdateisenabledbydefaultonAmazonWorkSpacesandconfiguredtoinstallupdatesonaweeklybasis.YoucanuseanalternativepatchingapproachorconfigureWindowsUpdatetoperformupdatesatatimeofyourchoosing.YoucanuseIAMtocontrolwhoonyourteamcanperformadministrativefunctionslikecreatingordeletingWorkSpacesorsettingupuserdirectories.YoucanalsosetupaWorkSpacefordirectoryadministration,installyourfavoriteActiveDirectoryadministrationtools,andcreateorganizationalunitsandGroupPoliciesinordertoapplyActiveDirectorychangesmoreeasilyforallofyourAmazonWorkSpacesusers.
SummaryInthischapter,youlearnedthatthefirstpriorityatAWSisCloudsecurity.SecuritywithinAWSisbasedona“defenseindepth”modelwherenoone,singleelementisusedtosecuresystemsonAWS.Rather,AWSusesamultitudeofelements—eachactingatdifferentlayersofasystem—intotaltosecurethesystem.AWSisresponsibleforsomelayersofthismodel,andcustomersareresponsibleforothers.AWSalsoofferssecuritytoolsandfeaturesofservicesforcustomerstouseattheirdiscretion.Severaloftheseconcepts,tools,andfeatureswerediscussedinthischapter.
SecurityModelThesharedresponsibilitymodelisthesecuritymodelwhereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andthecustomerisresponsibleforsecuringworkloadsdeployedinAWS.CustomersbenefitfromadatacenterandnetworkarchitecturebuilttosatisfytherequirementsofAWSmostsecurity-sensitivecustomers.Thismeansthatcustomersgetaresilientinfrastructure,designedforhighsecurity,withoutthecapitaloutlayandoperationaloverheadofatraditionaldatacenter.
AccountLevelSecurityAWScredentialshelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources.AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMFAtologintoyourAWSaccountorIAMuseraccounts.
PasswordsarerequiredtoaccessyourAWSaccount,individualIAMuseraccounts,AWSDiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.
AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.Thisismulti-factorbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).AnMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.
AccessKeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHMAC-SHA-256protocol.
AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.
Service-SpecificSecurityInadditiontotheSharedResponsibilityModelandAccountLevelsecurity,AWSofferssecurityfeaturesforeachoftheservicesitprovides.Thesesecurityfeaturesareoutlinedbelowbytechnologydomain.
ComputeAmazonElasticComputeCloud(AmazonEC2)AmazonEC2supportsRSA2048SSH-2KeypairsforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.
AmazonElasticBlockStore(AmazonEBS)DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationswithinthesameAvailabilityZoneaspartofnormaloperationofthatserviceandatnoadditionalcharge.AWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.
NetworkingElasticLoadBalancingElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice.SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.
AmazonCloudFrontAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.
Storage
AmazonSimpleStorageService(AmazonS3)AmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.YoucansecurelyuploadanddownloaddatatoAmazonS3viatheSSL-encryptedendpoints.AmazonS3supportsseveralmethodstoencryptdataatrest.
AmazonGlacierAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.YoucansecurelyuploadanddownloaddatatoAmazonGlacierviatheSSL-encryptedendpoints,andtheserviceautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.
AWSStorageGatewayAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.Dataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSLandstoredencryptedinAmazonS3usingAES-256.
DatabaseAmazonDynamoDBAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.Youcancontrolaccessatthedatabaselevelbycreatingdatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.
AmazonRelationalDatabaseService(RDS)AmazonRDSallowsyoutoquicklycreatearelationalDBInstanceandflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whichactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.Databasesecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.AmazonRDSissupportedwithinanAmazonVPC,andforMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregionwillallowAmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL,andyoucanencryptdataatrestwithinAmazonRDSinstancesforalldatabaseengines.
AmazonRedshiftAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theserviceenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.YoumaychooseforAmazonRedshifttostorealldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandalsoanybackups.AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.
AmazonElastiCacheAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.AmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.
ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.
ApplicationServicesAmazonSimpleQueueService(SQS)AmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.AmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.
AmazonSimpleNotificationService(SNS)AmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSallowstopicownerstosetpoliciesforatopicthatrestrictwhocanpublishorsubscribetoatopic.
AnalyticsAmazonElasticMapReduce(AmazonEMR)AmazonEMRisamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamongseveralservers.Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.YoucanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.
AmazonKinesisAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsbycreatingusersunderyourAWSaccountusingAWSIAMandcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpointtohelpensuresecuretransmissionofyourdatatoAWS.
DeploymentandManagementAWSIdentityandAccessManagement(IAM)AWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.
MobileServicesAmazonCognitoAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Yourapplicationauthenticateswithoneofthewell-knownidentityproviderssuchasGoogle,Facebook,andAmazonusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfrom
theproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.
ApplicationsAmazonWorkspacesAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheuser’sdesktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.YoucanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRADIUSserveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.
ExamEssentialsUnderstandthesharedresponsibilitymodel.AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.
UnderstandregionsandAvailabilityZones.Eachregioniscompletelyindependent.Eachregionisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.RegionsareacollectionofAvailabilityZones.EachAvailabilityZoneisisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.
UnderstandHigh-AvailabilitySystemDesignwithinAWS.YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
UnderstandthenetworksecurityofAWS.Networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,ACLs,andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
AWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowHTTPSaccess,whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.
AmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.
UnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.
ItisnotpossibleforanAmazonEC2instancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.
UnderstandtheuseofcredentialsonAWS.AWSemploysseveralcredentialsinordertopositivelyidentifyapersonorauthorizeanAPIcalltotheplatform.Credentialsinclude:
Passwords
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
Multi-FactorAuthentication(MFA)
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
AccessKeys
DigitallysignedrequeststoAWSAPIs(usingtheAWSSDK,CLI,orREST/QueryAPIs)
Understandtheproperuseofaccesskeys.Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandnottoembedtheminyourcode.Forcustomerswithlargefleetsofelastically-scalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
UnderstandthevalueofAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.
UnderstandthesecurityfeaturesofAmazonEC2.AmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdata,suchasapassword,andthentherecipientusestheprivatekeytodecryptthedata.Thepublicandprivatekeysareknownasakeypair.
Tologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.
Asecuritygroupactsasavirtualfirewallthatcontrolsthetrafficforoneormoreinstances.Whenyoulaunchaninstance,youassociateoneormoresecuritygroupswiththeinstance.Youaddrulestoeachsecuritygroupthatallowtraffictoorfromitsassociatedinstances.Youcanmodifytherulesforasecuritygroupatanytime;thenewrulesareautomaticallyappliedtoallinstancesthatareassociatedwiththesecuritygroup.
UnderstandAWSuseofencryptionofdataintransit.AllserviceendpointssupportencryptionofdataintransitviaHTTPS.
Knowwhichservicesofferencryptionofdataatrestasafeature.Thefollowingservicesofferafeaturetoencryptdataatrest:
AmazonS3
AmazonEBS
AmazonGlacier
AWSStorageGateway
AmazonRDS
AmazonRedshift
AmazonWorkSpaces
ExercisesThebestwaytobecomefamiliarwiththesecurityfeaturesofAWSistodotheexercisesforeachchapterandinspectthesecurityfeaturesofferedbytheservice.TakealookatthislistofAWSCloudservicescoveredindifferentchaptersandtheirsecurityfeatures:
Chapter6,AWSIAM
Exercise6.1:CreateanIAMGroup
Exercise6.2:CreateaCustomizedSign-InLinkandPasswordPolicy
Exercise6.3:CreateanIAMUser
Exercise6.4:CreateandUseanIAMRole
Exercise6.5:RotateKeys
Exercise6.6:SetUpMFA
Exercise6.7:ResolveConflictingPermissions
Chapter3,AmazonEC2
Exercise3.1:LaunchandConnecttoaLinuxInstance
Exercise3.2:LaunchaWindowsInstancewithBootstrapping
Chapter3,AmazonEBS
Exercise3.8:LaunchanEncryptedVolume
Chapter2,AmazonS3
Exercise2.1:CreateanAmazonSimpleStorageService(AmazonS3)Bucket
Exercise2.2:Upload,MakePublic,Rename,andDeleteObjectsinYourBucket
Chapter4,AmazonVPC
Exercise4.1:CreateaCustomAmazonVPC
Exercise4.2:CreateTwoSubnetsforYourCustomAmazonVPC
Exercise4.3:ConnectYourAmazonVPCtotheInternetandEstablishRouting
Exercise4.4:LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet.
Chapter7,AmazonRDS
Exercise7.1:CreateaMySQLAmazonRDSInstance
Exercise7.2:SimulateaFailoverfromOneAZtoAnother
ReviewQuestions1. WhichisanoperationalprocessperformedbyAWSfordatasecurity?
A. AdvancedEncryptionStandard(AES)-256encryptionofdatastoredonanysharedstoragedevice
B. Decommissioningofstoragedevicesusingindustry-standardpractices
C. BackgroundvirusscansofAmazonElasticBlockStore(AmazonEBS)volumesandAmazonEBSsnapshots
D. ReplicationofdataacrossmultipleAWSregions
E. SecurewipingofAmazonEBSdatawhenanAmazonEBSvolumeisunmounted
2. YouhavelaunchedaWindowsAmazonElasticComputeCloud(AmazonEC2)instanceandspecifiedanAmazonEC2keypairfortheinstanceatlaunch.Whichofthefollowingaccuratelydescribeshowtologintotheinstance?
A. UsetheAmazonEC2keypairtosecurelyconnecttotheinstanceviaSecureShell(SSH).
B. UseyourAWSIdentityandAccessManagement(IAM)userX.509certificatetologintotheinstance.
C. UsetheAmazonEC2keypairtodecrypttheadministratorpasswordandthensecurelyconnecttotheinstanceviaRemoteDesktopProtocol(RDP)astheadministrator.
D. Akeypairisnotneeded.SecurelyconnecttotheinstanceviaRDP.
3. ADatabasesecuritygroupcontrolsnetworkaccesstoadatabaseinstancethatisinsideaVirtualPrivateCloud(VPC)andbydefaultallowsaccessfrom?
A. AccessfromanyIPaddressforthestandardportsthatthedatabaseusesisprovidedbydefault.
B. AccessfromanyIPaddressforanyportisprovidedbydefaultintheDBsecuritygroup.
C. Noaccessisprovidedbydefault,andanyaccessmustbeexplicitlyaddedwitharuletotheDBsecuritygroup.
D. AccessforthedatabaseconnectionstringisprovidedbydefaultintheDBsecuritygroup.
4. WhichencryptionalgorithmisusedbyAmazonSimpleStorageService(AmazonS3)toencryptdataatrestwithService-SideEncryption(SSE)?
A. AdvancedEncryptionStandard(AES)-256
B. RSA1024
C. RSA2048
D. AES-128
5. HowmanyaccesskeysmayanAWSIdentityandAccessManagement(IAM)userhaveactiveatonetime?
A. 0
B. 1
C. 2
D. 3
6. WhichofthefollowingisthenameofthesecuritymodelemployedbyAWSwithitscustomers?
A. Thesharedsecretmodel
B. Thesharedresponsibilitymodel
C. Thesharedsecretkeymodel
D. Thesecretkeyresponsibilitymodel
7. WhichofthefollowingdescribestheschemeusedbyanAmazonRedshiftclusterleveragingAWSKeyManagementService(AWSKMS)toencryptdata-at-rest?
A. AmazonRedshiftusesaone-tier,key-basedarchitectureforencryption.
B. AmazonRedshiftusesatwo-tier,key-basedarchitectureforencryption.
C. AmazonRedshiftusesathree-tier,key-basedarchitectureforencryption.
D. AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.
8. WhichofthefollowingElasticLoadBalancingoptionsensurethattheloadbalancerdetermineswhichcipherisusedforaSecureSocketsLayer(SSL)connection?
A. ClientServerCipherSuite
B. ServerCipherOnly
C. FirstServerCipher
D. ServerOrderPreference
9. WhichtechnologydoesAmazonWorkSpacesusetoprovidedatasecurity?
A. SecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)
B. AdvancedEncryptionStandard(AES)-256
C. PC-over-IP(PCoIP)
D. AES-128
10. AsaSolutionsArchitect,howshouldyouarchitectsystemsonAWS?
A. Youshouldarchitectforleastcost.
B. YoushouldarchitectyourAWSusagetotakeadvantageofAmazonSimpleStorageService’s(AmazonS3)durability.
C. YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.
D. YoushouldarchitectwithAmazonElasticComputeCloud(AmazonEC2)AutoScalingtoensurecapacityisavailablewhenneeded.
11. WhichsecurityschemeisusedbytheAWSMulti-FactorAuthentication(AWSMFA)token?
A. Time-BasedOne-TimePassword(TOTP)
B. PerfectForwardSecrecy(PFC)
C. EphemeralDiffieHellman(EDH)
D. Split-KeyEncryption(SKE)
12. DynamoDBtablesmaycontainsensitivedatathatneedstobeprotected.WhichofthefollowingisawayforyoutoprotectDynamoDBtablecontent?(Choose2answers)
A. DynamoDBencryptsalldataserver-sidebydefaultsonothingisrequired.
B. DynamoDBcanstoredataencryptedwithaclient-sideencryptionlibrarysolutionbeforestoringthedatainDynamoDB.
C. DynamoDBobfuscatesalldatastoredsoencryptionisnotrequired.
D. DynamoDBcanbeusedwiththeAWSKeyManagementServicetoencryptthedatabeforestoringthedatainDynamoDB.
E. DynamoDBshouldnotbeusedtostoresensitiveinformationrequiringprotection.
13. YouhavelaunchedanAmazonLinuxElasticComputeCloud(AmazonEC2)instanceintoEC2-Classic,andtheinstancehassuccessfullypassedtheSystemStatusCheckandInstanceStatusCheck.YouattempttosecurelyconnecttotheinstanceviaSecureShell(SSH)andreceivetheresponse,“WARNING:UNPROTECTEDPRIVATEKEYFILE,”afterwhichtheloginfails.Whichofthefollowingisthecauseofthefailedlogin?
A. Youareusingthewrongprivatekey.
B. Thepermissionsfortheprivatekeyaretooinsecureforthekeytobetrusted.
C. Asecuritygroupruleisblockingtheconnection.
D. Asecuritygrouprulehasnotbeenassociatedwiththeprivatekey.
14. WhichofthefollowingpublicidentityprovidersaresupportedbyAmazonCognitoIdentity?
A. Amazon
B. Google
C. Facebook
D. Alloftheabove
15. WhichfeatureofAWSisdesignedtopermitcallstotheplatformfromanAmazonElasticComputeCloud(AmazonEC2)instancewithoutneedingaccesskeysplacedontheinstance?
A. AWSIdentityandAccessManagement(IAM)instanceprofile
B. IAMgroups
C. IAMroles
D. AmazonEC2keypairs
16. WhichofthefollowingAmazonVirtualPrivateCloud(AmazonVPC)elementsactsasastatelessfirewall?
A. Securitygroup
B. NetworkAccessControlList(ACL)
C. NetworkAddressTranslation(NAT)instance
D. AnAmazonVPCendpoint
17. WhichofthefollowingisthemostrecentversionoftheAWSdigitalsignaturecalculationprocess?
A. SignatureVersion1
B. SignatureVersion2
C. SignatureVersion3
D. SignatureVersion4
18. WhichofthefollowingisthenameofthefeaturewithinAmazonVirtualPrivateCloud(AmazonVPC)thatallowsyoutolaunchAmazonElasticComputeCloud(AmazonEC2)instancesonhardwarededicatedtoasinglecustomer?
A. AmazonVPC-basedtenancy
B. Dedicatedtenancy
C. Defaulttenancy
D. Host-basedtenancy
19. WhichofthefollowingdescribeshowAmazonElasticMapReduce(AmazonEMR)protectsaccesstothecluster?
A. ThemasternodeandtheslavenodesarelaunchedintoanAmazonVirtualPrivateCloud(AmazonVPC).
B. ThemasternodesupportsaVirtualPrivateNetwork(VPN)connectionfromthekeyspecifiedatclusterlaunch.
C. ThemasternodeislaunchedintoasecuritygroupthatallowsSecureShell(SSH)andserviceaccess,whiletheslavenodesarelaunchedintoaseparatesecuritygroupthatonlypermitscommunicationwiththemasternode.
D. ThemasternodeandslavenodesarelaunchedintoasecuritygroupthatallowsSSHandserviceaccess.
20. Tohelppreventdatalossduetothefailureofanysinglehardwarecomponent,AmazonElasticBlockStorage(AmazonEBS)automaticallyreplicatesEBSvolumedatatowhichofthefollowing?
A. AmazonEBSreplicatesEBSvolumedatawithinthesameAvailabilityZoneinaregion.
B. AmazonEBSreplicatesEBSvolumedataacrossotherAvailabilityZoneswithinthesameregion.
C. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesinoneotherregion.
D. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesineveryotherregion.
Chapter13AWSRiskandComplianceTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
Sharedsecurityresponsibilitymodel
SecurityArchitecturewithAWS
AWSplatformcompliance
AWSsecurityattributes
Designpatterns
IntroductionAWSanditscustomerssharecontrolovertheITenvironment,sobothpartieshaveresponsibilityformanagingthatenvironment.AWSpartinthissharedresponsibilityincludesprovidingitsservicesonahighlysecureandcontrolledplatformandprovidingawidearrayofsecurityfeaturescustomerscanuse.
ThecustomerisresponsibleforconfiguringtheirITenvironmentinasecureandcontrolledmannerfortheirpurposes.Whilecustomersdon’tcommunicatetheiruseandconfigurationstoAWS,AWSdoescommunicatewithcustomersregardingitssecurityandcontrolenvironment,asrelevant.AWSdisseminatesthisinformationusingthreeprimarymechanisms.First,AWSworksdiligentlytoobtainindustrycertificationsandindependentthird-partyattestations.Second,AWSopenlypublishesinformationaboutitssecurityandcontrolpracticesinwhitepapersandwebsitecontent.Finally,AWSprovidescertificates,reports,andotherdocumentationdirectlytoitscustomersunderNon-DisclosureAgreements(NDAs)asrequired.
OverviewofComplianceinAWSWhencustomersmovetheirproductionworkloadstotheAWScloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Thecustomersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.ThecustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.ThissectiondescribestheAWSsharedresponsibilitymodelandgivesadviceforhowtoestablishstrongcompliance.
SharedResponsibilityModelAsmentionedinChapter12,“SecurityonAWS,”ascustomersmigratetheirITenvironmentstoAWS,theycreateamodelofsharedresponsibilitybetweenthemselvesandAWS.Thissharedresponsibilitymodelcanhelplessenacustomer’sIToperationalburden,asitisAWSresponsibilitytomanagethecomponentsfromthehostoperatingsystemandvirtualizationlayerdowntothephysicalsecurityofthedatacentersinwhichtheseservicesoperate.Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).Thecustomerisalsoresponsibleforanyotherapplicationsoftware,aswellastheconfigurationofsecuritygroups,VirtualPrivateClouds(VPCs),andsoon.
WhileAWSmanagesthesecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.Customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.Figure13.1illustratesthedemarcationbetweencustomerandAWSresponsibilities.
FIGURE13.1Sharedresponsibilitymodel
Customersneedtobeawareofanyapplicablelawsandregulationswithwhichtheyhavetocomply,andthentheymustconsiderwhethertheservicesthattheyconsumeonAWSarecompliantwiththeselaws.Insomecases,itmaybenecessarytoenhanceanexistingplatformonAWSwithadditionalsecuritymeasures(suchasdeployingawebapplicationfirewall,IntrusionDetectionSystem[IDS],orIntrusionPreventionSystem[IPS],orusingsomeformofencryptionfordataatrest).
Thiscustomer/AWSsharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations,butitalsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.BeforemovingtotheAWSCloud,customerswereresponsibleformanagingalloftheITcontrolsintheirenvironments.AWSmanagesthecontrolsforthephysicalinfrastructure,therebytakingtheundifferentiatedheavyliftingfromcustomers,allowingthemtofocusonmanagingtherelevantITcontrols.BecauseeverycustomerisdeployeddifferentlyinAWS,customerscanshiftmanagementofcertainITcontrolstoAWS.ThischangeinmanagementofITcontrolsresultsinanew,distributedcontrolenvironment.CustomerscanthenusetheAWScontrolandcompliancedocumentationavailabletothemtoperformtheircontrolevaluationandverificationproceduresasrequired.
StrongComplianceGovernanceItisstillthecustomers’responsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(whetheritison-premises,onthecloud,orpartofahybridenvironment).BydeployingtotheAWSCloud,customershave
optionstoapplydifferenttypesofcontrolsandvariousverificationmethods.
Toachievestrongcomplianceandgovernance,customersmaywanttofollowthisbasicmethodology:
1. Takeaholisticapproach.ReviewtheinformationavailablefromAWStogetherwithallotherinformationtounderstandasmuchoftheITenvironmentastheycan.Afterthisiscomplete,documentallcompliancerequirements.
2. Designandimplementcontrolobjectivestomeettheorganization’scompliancerequirements.
3. Identifyanddocumentcontrolsownedbyallthirdparties.
4. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.
Byusingthisbasicmethodology,customerscangainabetterunderstandingoftheircontrolenvironment.Ultimately,thiswillstreamlinetheprocessandhelpseparateanyverificationactivitiesthatneedtobeperformed.
EvaluatingandIntegratingAWSControlsAWSprovidescustomerswithawiderangeofinformationregardingitsITcontrolenvironmentthroughwhitepapers,reports,certifications,andotherthird-partyattestations.ThisdocumentationassistscustomersinunderstandingthecontrolsinplacerelevanttotheAWSCloudservicestheyuseandhowthosecontrolshavebeenvalidated.ThisinformationalsoassistscustomersintheireffortstoaccountforandvalidatethatcontrolsintheirextendedITenvironmentareoperatingeffectively.
Traditionally,thedesignandoperatingeffectivenessofcontrolsandcontrolobjectivesarevalidatedbyinternaland/orexternalauditorsviaprocesswalkthroughsandevidenceevaluation.Directobservationandverification,bythecustomerorcustomer’sexternalauditor,isgenerallyperformedtovalidatecontrols.InthecasewhereserviceproviderssuchasAWSareused,companiesrequestandevaluatethird-partyattestationsandcertificationsinordertogainreasonableassuranceofthedesignandoperatingeffectivenessofcontrolsandcontrolobjectives.Asaresult,althoughacustomer’skeycontrolsmaybemanagedbyAWS,thecontrolenvironmentcanstillbeaunifiedframeworkinwhichallcontrolsareaccountedforandareverifiedasoperatingeffectively.AWSthird-partyattestationsandcertificationsnotonlyprovideahigherlevelofvalidationofthecontrolenvironment,butmayalsorelievecustomersoftherequirementtoperformcertainvalidationworkthemselves.
AWSITControlInformationAWSprovidesITcontrolinformationtocustomersinthefollowingtwoways.
SpecificControlDefinitionAWScustomerscanidentifykeycontrolsmanagedbyAWS.Keycontrolsarecriticaltothecustomer’scontrolenvironmentandrequireanexternalattestationoftheoperatingeffectivenessofthesekeycontrolsinordertomeetcompliancerequirements(forexample,anannualfinancialaudit).Forthispurpose,AWSpublishesawiderangeofspecificITcontrolsinitsServiceOrganizationControls1(SOC1)TypeIIreport.TheSOC1TypeIIreport,formerlytheStatementonAuditingStandards(SAS)No.70,isawidelyrecognizedauditingstandarddevelopedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA).TheSOC1auditisanin-depthauditofboththedesignandoperatingeffectivenessofAWSdefinedcontrolobjectivesandcontrolactivities(whichincludecontrolobjectivesandcontrolactivitiesoverthepartoftheinfrastructurethatAWSmanages).“TypeII”referstothefactthateachofthecontrolsdescribedinthereportarenotonlyevaluatedforadequacyofdesign,butarealsotestedforoperatingeffectivenessbytheexternalauditor.BecauseoftheindependenceandcompetenceofAWSexternalauditor,controlsidentifiedinthereportshouldprovidecustomerswithahighlevelofconfidenceinAWScontrolenvironment.
AWScontrolscanbeconsideredeffectivelydesignedandoperatingformanycompliancepurposes,includingSarbanes-Oxley(SOX)Section404financialstatementaudits.LeveragingSOC1TypeIIreportsisalsogenerallypermittedbyotherexternalcertifyingbodies.Forexample,InternationalOrganizationforStandardization(ISO)27001auditorsmayrequestaSOC1TypeIIreportinordertocompletetheirevaluationsforcustomers.
GeneralControlStandardComplianceIfanAWScustomerrequiresabroadsetofcontrolobjectivestobemet,evaluationofAWSindustrycertificationsmaybeperformed.WiththeISO27001certification,AWScomplieswithabroad,comprehensivesecuritystandardandfollowsbestpracticesinmaintainingasecureenvironment.WiththePaymentCardIndustry(PCI)DataSecurityStandard(DSS)certification,AWScomplieswithasetofcontrolsimportanttocompaniesthathandlecreditcardinformation.AWScompliancewithFederalInformationSecurityManagementAct(FISMA)standardsmeansthatAWScomplieswithawiderangeofspecificcontrolsrequiredbyU.S.governmentagencies.AWScompliancewiththesegeneralstandardsprovidescustomerswithin-depthinformationonthecomprehensivenatureofthecontrolsandsecurityprocessesinplaceintheAWSCloud.
AWSGlobalRegionsTheAWSCloudinfrastructureisbuiltaroundregionsandavailabilityzones.AregionisaphysicallocationintheworldwherewehavemultipleAvailabilityZones.AvailabilityZonesconsistofoneormorediscretedatacenters,eachwithredundantpower,networking,andconnectivity,housedinseparatefacilities.TheseAvailabilityZonesoffercustomerstheabilitytooperateproductionapplicationsanddatabasesthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.
Asofthiswriting,theAWSCloudoperates33AvailabilityZoneswithin12geographicregionsaroundtheworld.The12regionsareUSEast(NorthernVirginia),USWest(Oregon),USWest(NorthernCalifornia),AWSGovCloud(US)(Oregon),EU(Frankfurt),EU(Ireland),AsiaPacific(Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney),AsiaPacific(Seoul),China(Beijing),andSouthAmerica(SaoPaulo).
AWSRiskandComplianceProgramAWSRiskandComplianceisdesignedtobuildontraditionalprogramsandhelpcustomersestablishandoperateinanAWSsecuritycontrolenvironment.AWSprovidesdetailedinformationaboutitsriskandcomplianceprogramtoenablecustomerstoincorporateAWScontrolsintotheirgovernanceframeworks.ThisinformationcanassistcustomersindocumentingcompletecontrolandgovernanceframeworksinwhichAWSisincludedasanimportantpart.
Thethreecoreareasoftheriskandcomplianceprogram—riskmanagement,controlenvironment,andinformationsecurity—aredescribednext.
RiskManagementAWShasdevelopedastrategicbusinessplanthatincludesriskidentificationandtheimplementationofcontrolstomitigateormanagerisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.
TheAWScontrolenvironmentissubjecttoadditionalinternalandexternalriskassessments.TheAWScomplianceandsecurityteamshaveestablishedaninformationsecurityframeworkandpoliciesbasedontheControlObjectivesforInformationandRelatedTechnology(COBIT)framework,andtheyhaveeffectivelyintegratedtheISO27001certifiableframeworkbasedonISO27002controls,AICPATrustServicesPrinciples,PCIDSSv3.1,andtheNationalInstituteofStandardsandTechnology(NIST)Publication800–53,Revision3,RecommendedSecurityControlsforFederalInformationSystems.AWSmaintainsthesecuritypolicyandprovidessecuritytrainingtoitsemployees.Additionally,AWSperformsregularapplicationsecurityreviewstoassesstheconfidentiality,integrity,andavailabilityofdata,andconformancetotheinformationsecuritypolicy.
TheAWSsecurityteamregularlyscansanypublic-facingendpointIPaddressesforvulnerabilities.Itisimportanttounderstandthatthesescansdonotincludecustomerinstances.AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.Inaddition,independentsecurityfirmsregularlyperformexternalvulnerabilitythreatassessments.FindingsandrecommendationsresultingfromtheseassessmentsarecategorizedanddeliveredtoAWSleadership.ThesescansaredoneinamannerforthehealthandviabilityoftheunderlyingAWSinfrastructureandarenotmeanttoreplacethecustomer’sownvulnerabilityscansthatarerequiredtomeettheirspecificcompliancerequirements.
AsmentionedinChapter12,customerscanrequestpermissiontoconducttheirownvulnerabilityscansontheirownenvironments.ThesevulnerabilityscansmustnotviolatetheAWSacceptableusepolicy,andtheymustberequestedinadvanceofthescan.
ControlEnvironmentAWSmanagesacomprehensivecontrolenvironmentthatconsistsofpolicies,processes,andcontrolactivities.ThiscontrolenvironmentisinplaceforthesecuredeliveryofAWSservice
offerings.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.AWShasintegratedapplicable,cloud-specificcontrolsidentifiedbyleadingcloudcomputingindustrybodiesintotheAWScontrolframework.AWScontinuestomonitortheseindustrygroupsforideasonwhichleadingpracticescanbeimplementedtobetterassistcustomerswithmanagingtheircontrolenvironments.
ThecontrolenvironmentatAWSbeginsatthehighestlevelofthecompany.Executiveandseniorleadershipplayimportantrolesinestablishingthecompany’stoneandcorevalues.Everyemployeeisprovidedwiththecompany’scodeofbusinessconductandethicsandcompletesperiodictraining.Complianceauditsareperformedsothatemployeesunderstandandfollowtheestablishedpolicies.
TheAWSorganizationalstructureprovidesaframeworkforplanning,executing,andcontrollingbusinessoperations.Theorganizationalstructureassignsrolesandresponsibilitiestoprovideforadequatestaffing,efficiencyofoperations,andthesegregationofduties.Managementhasalsoestablishedauthorityandappropriatelinesofreportingforkeypersonnel.Includedaspartofthecompany’shiringverificationprocessesareeducation,previousemployment,and,insomecases,backgroundchecksaspermittedbylawforemployeescommensuratewiththeemployee’spositionandlevelofaccesstoAWSfacilities.ThecompanyfollowsastructuredonboardingprocesstofamiliarizenewemployeeswithAmazontools,processes,systems,policies,andprocedures.
InformationSecurityAWSusesaformalinformationsecurityprogramthatisdesignedtoprotecttheconfidentiality,integrity,andavailabilityofcustomers’systemsanddata.AWSpublishesseveralsecuritywhitepapersthatareavailableonthemainAWSwebsite.ThesewhitepapersarerecommendedreadingpriortotakingtheAWSSolutionsArchitectAssociateexam.
AWSReports,Certifications,andThird-PartyAttestationsAWSengageswithexternalcertifyingbodiesandindependentauditorstoprovidecustomerswithconsiderableinformationregardingthepolicies,processes,andcontrolsestablishedandoperatedbyAWS.Ahigh-leveldescriptionofthevariousAWSreports,certifications,andattestationsisprovidedhere.
CriminalJusticeInformationServices(CJIS)—AWScomplieswiththeFederalBureauofInvestigation’s(FBI)CJISstandard.AWSsignsCJISsecurityagreementswithAWScustomers,whichincludeallowingorperforminganyrequiredemployeebackgroundchecksaccordingtotheCJISsecuritypolicy.
CloudSecurityAlliance(CSA)—In2011,theCSAlaunchedtheSecurity,Trust,&AssuranceRegistry(STAR),aninitiativetoencouragetransparencyofsecuritypracticeswithincloudproviders.CSASTARisafree,publiclyaccessibleregistrythatdocumentsthesecuritycontrolsprovidedbyvariouscloudcomputingofferings,therebyhelpingusersassessthesecurityofcloudproviderstheycurrentlyuseorwithwhomtheyareconsideringcontracting.AWSisaCSASTARregistrantandhascompletedtheCSAConsensusAssessmentsInitiativeQuestionnaire(CAIQ).
CyberEssentialsPlus—CyberEssentialsPlusisaUKgovernment-backed,industry-supportedcertificationschemaintroducedintheUKtohelporganizationsdemonstrateoperationalsecurityagainstcommoncyber-attacks.ItdemonstratesthebaselinecontrolsthatAWSimplementstomitigatetheriskfromcommonInternet-basedthreatswithinthecontextoftheUKgovernment’s“10StepstoCyberSecurity.”Itisbackedbyindustry,includingtheFederationofSmallBusinesses,theConfederationofBritishIndustry,andanumberofinsuranceorganizationsthatofferincentivesforbusinessesholdingthiscertification.
DepartmentofDefense(DoD)CloudSecurityModel(SRG)—TheDoDSRGprovidesaformalizedassessmentandauthorizationprocessforCloudServiceProviders(CSPs)togainaDoDprovisionalauthorization,whichcansubsequentlybeleveragedbyDoDcustomers.AprovisionalauthorizationundertheSRGprovidesareusablecertificationthatatteststoAWScompliancewithDoDstandards,reducingthetimenecessaryforaDoDmissionownertoassessandauthorizeoneoftheirsystemsforoperationonAWS.Asofthiswriting,AWSholdsprovisionalauthorizationsatLevels2(allAWSUS-basedregions)and4(AWSGovCloud[US])oftheSRG.
FederalRiskandAuthorizationManagementProgram(FedRAMP)—AWSisaFedRAMP-compliantCSP.AWShascompletedthetestingperformedbyaFedRAMP-accreditedthird-partyassessmentorganization(3PAO)andhasbeengrantedtwoAgencyAuthoritytoOperate(ATOs)bytheU.S.DepartmentofHealthandHumanServices(HHS)afterdemonstratingcompliancewithFedRAMPrequirementsatthemoderateimpactlevel.
FamilyEducationalRightsandPrivacyAct(FERPA)—FERPA(20U.S.C.§1232g;34CFRPart99)isafederallawthatprotectstheprivacyofstudenteducationrecords.ThelawappliestoallschoolsthatreceivefundsunderanapplicableprogramoftheU.S.DepartmentofEducation.FERPAgivesparentscertainrightswithrespectto
theirchildren’seducationrecords.Theserightstransfertothestudentwhenheorshereachestheageof18orattendsaschoolbeyondthehighschoollevel.Studentstowhomtherightshavetransferredare“eligiblestudents.”AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoFERPAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectededucationinformation.
FederalInformationProcessingStandard(FIPS)140–2—FIPSPublication140–2isaUSgovernmentsecuritystandardthatspecifiesthesecurityrequirementsforcryptographicmodulesprotectingsensitiveinformation.TosupportcustomerswithFIPS140–2requirements,SecureSocketsLayer(SSL)terminationsinAWSGovCloud(US)operateusingFIPS140–2-validatedhardware.AWSworkswithAWSGovCloud(US)customerstoprovidetheinformationtheyneedtohelpmanagecompliancewhenusingtheAWSGovCloud(US)environment.
FISMAandDoDInformationAssuranceCertificationandAccreditationProcess(DIACAP)—AWSenablesU.S.governmentagenciestoachieveandsustaincompliancewithFISMA.TheAWSinfrastructurehasbeenevaluatedbyindependentassessorsforavarietyofgovernmentsystemsaspartoftheirsystemowners’approvalprocess.NumerousfederalcivilianandDoDorganizationshavesuccessfullyachievedsecurityauthorizationsforsystemshostedonAWSinaccordancewiththeRiskManagementFramework(RMF)processdefinedinNIST800–37andDIACAP.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)—AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoHIPAAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectedhealthinformation.AWSsignsbusinessassociateagreementswithsuchcustomers.
InformationSecurityRegisteredAssessorsProgram(IRAP)—IRAPenablesAustraliangovernmentcustomerstovalidatethatappropriatecontrolsareinplaceanddeterminetheappropriateresponsibilitymodelforaddressingtheneedsoftheAustralianSignalsDirectorate(ASD)InformationSecurityManual(ISM).AWShascompletedanindependentassessmentthathasdeterminedthatallapplicableISMcontrolsareinplacerelatingtotheprocessing,storage,andtransmissionofUnclassifiedDisseminationLimitingMarker(DLM)workloadsfortheAsiaPacific(Sydney)region.
ISO9001—AWShasachievedISO9001certification.AWSISO9001certificationdirectlysupportscustomerswhodevelop,migrate,andoperatetheirquality-controlledITsystemsintheAWSCloud.CustomerscanleverageAWScompliancereportsasevidencefortheirownISO9001programsandindustry-specificqualityprograms,suchasGoodLaboratory,Clinical,orManufacturingPractices(GxP)inlifesciences,ISO13485inmedicaldevices,AS9100inaerospace,andISOTechnicalSpecification(ISO/TS)16949intheautomotiveindustry.AWScustomerswhodon’thavequalitysystemrequirementscanstillbenefitfromtheadditionalassuranceandtransparencythatanISO9001certificationprovides.
ISO27001—AWShasachievedISO27001certificationoftheInformationSecurityManagementSystem(ISMS)coveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
ISO27017—ISO27017isthenewestcodeofpracticereleasedbyISO.Itprovidesimplementationguidanceoninformationsecuritycontrolsthatspecificallyrelateto
cloudservices.AWShasachievedISO27017certificationoftheISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
ISO27018—Thisisthefirstinternationalcodeofpracticethatfocusesonprotectionofpersonaldatainthecloud.ItisbasedonISOinformationsecuritystandard27002,anditprovidesimplementationguidanceonISO27002controlsapplicabletopubliccloud-relatedPersonallyIdentifiableInformation(PII).ItalsoprovidesasetofcontrolsandassociatedguidanceintendedtoaddresspubliccloudPIIprotectionrequirementsnotaddressedbytheexistingISO27002controlset.AWShasachievedISO27018certificationoftheAWSISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
U.S.InternationalTrafficinArmsRegulations(ITAR)—TheAWSGovCloud(US)regionsupportsITARcompliance.AsapartofmanagingacomprehensiveITARcomplianceprogram,companiessubjecttoITARexportregulationsmustcontrolunintendedexportsbyrestrictingaccesstoprotecteddatatoU.S.personsandrestrictingphysicallocationofthatdatatotheU.S.AWSGovCloud(US)providesanenvironmentphysicallylocatedintheUnitedStateswhereaccessbyAWSpersonnelislimitedtoU.S.persons,therebyallowingqualifiedcompaniestotransmit,process,andstoreprotectedarticlesanddatasubjecttoITARrestrictions.TheAWSGovCloud(US)environmenthasbeenauditedbyanindependentthirdpartytovalidatethatthepropercontrolsareinplacetosupportcustomerexportcomplianceprogramsforthisrequirement.
MotionPictureAssociationofAmerica(MPAA)—MPAAhasestablishedasetofbestpracticesforsecurelystoring,processing,anddeliveringprotectedmediaandcontent.Mediacompaniesusethesebestpracticesasawaytoassessriskandsecurityoftheircontentandinfrastructure.AWShasdemonstratedalignmentwiththeMPAAbestpractices,andtheAWSinfrastructureiscompliantwithallapplicableMPAAinfrastructurecontrols.WhileMPAAdoesnotofferacertification,mediaindustrycustomerscanusetheAWSMPAAdocumentationtoaugmenttheirriskassessmentandevaluationofMPAA-typecontentonAWS.
Multi-TierCloudSecurity(MTCS)Tier3Certification—MTCSisanoperationalSingaporesecuritymanagementstandard(SPRINGSS584:2013)basedontheISO27001/02ISMSstandards.
NIST—InJune2015,NISTreleasedguideline800–171,FinalGuidelinesforProtectingSensitiveGovernmentInformationHeldbyContractors.ThisguidanceisapplicabletotheprotectionofControlledUnclassifiedInformation(CUI)onnon-federalsystems.AWSisalreadycompliantwiththeseguidelines,andcustomerscaneffectivelycomplywithNIST800–171immediately.NIST800–171outlinesasubsetoftheNIST800–53requirements,aguidelineunderwhichAWShasalreadybeenauditedundertheFedRAMPprogram.TheFedRAMPmoderatesecuritycontrolbaselineismorerigorousthantherecommendedrequirementsestablishedinNIST800–171,anditincludesasignificantnumberofsecuritycontrolsaboveandbeyondthoserequiredofFISMAmoderatesystemsthatprotectCUIdata.
PCIDSSLevel1—AWSisLevel1-compliantunderPCIDSS.Customerscanrun
applicationsontheAWSPCI-complianttechnologyinfrastructureforstoring,processing,andtransmittingcreditcardinformationinthecloud.InFebruary2013,thePCISecurityStandardsCouncilreleasedthePCIDSScloudcomputingguidelines.TheseguidelinesprovidecustomerswhoaremanagingacardholderdataenvironmentwithconsiderationsformaintainingPCIDSScontrolsinthecloud.AWShasincorporatedthePCIDSScloudcomputingguidelinesintotheAWSPCIcompliancepackageforcustomers.
SOC1/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE3402)—AWSpublishesaSOC1,TypeIIreport.TheauditforthisreportisconductedinaccordancewithAICPA:AT801(formerlyStatementonStandardsforAttestationEngagementsNo.16[SSAE16])andISAE3402).Thisdual-standardreportisintendedtomeetabroadrangeoffinancialauditingrequirementsforU.S.andinternationalauditingbodies.TheSOC1reportauditatteststhatAWScontrolobjectivesareappropriatelydesignedandthattheindividualcontrolsdefinedtosafeguardcustomerdataareoperatingeffectively.ThisreportisthereplacementoftheSAS70,TypeIIauditreport.
SOC2—InadditiontotheSOC1report,AWSpublishesaSOC2,TypeIIreport.SimilartoSOC1intheevaluationofcontrols,theSOC2reportisanattestationreportthatexpandstheevaluationofcontrolstothecriteriasetforthbyAICPAtrustservicesprinciples.Theseprinciplesdefineleadingpracticecontrolsrelevanttosecurity,availability,processingintegrity,confidentiality,andprivacyapplicabletoserviceorganizationssuchasAWS.TheAWSSOC2isanevaluationofthedesignandoperatingeffectivenessofAWScontrolsthatmeetthecriteriaforthesecurityandavailabilityprinciplessetforthintheAICPAtrustservicesprinciplescriteria.ThereportprovidesadditionaltransparencyintoAWSsecurityandavailabilitybasedonapredefinedindustrystandardofleadingpracticesandfurtherdemonstratesAWScommitmenttoprotectingcustomerdata.TheSOC2reportscopecoversthesameservicescoveredintheSOC1report.
SOC3—AWSpublishesaSOC3report.TheSOC3reportisapubliclyavailablesummaryoftheAWSSOC2report.Thereportincludestheexternalauditor’sopinionoftheoperationofcontrols(basedontheAICPAsecuritytrustprinciplesincludedintheSOC2report),theassertionfromAWSmanagementregardingtheeffectivenessofcontrols,andanoverviewofAWSinfrastructureandservices.TheAWSSOC3reportincludesallAWSdatacentersworldwidethatsupportin-scopeservices.ThisisagreatresourceforcustomerstovalidatethatAWShasobtainedexternalauditorassurancewithoutgoingthroughtheprocessofrequestingaSOC2report.TheSOC3reportcoversthesameservicescoveredintheSOC1report.
SummaryAWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughthefollowingmechanisms:
Obtainingindustrycertificationsandindependentthird-partyattestations
PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs
Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)
Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestothephysicalinfrastructure,andthecustomermanagesthesecontrolsfortheguestoperatingsystemsandupward(dependingontheservice).
Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(on-premises,cloud,orhybrid).BydeployingtotheAWSCloud,customershavedifferentoptionsforapplyingdifferenttypesofcontrolsandvariousverificationmethodsthatalignwiththeirbusinessrequirements.
ThecontrolenvironmentforAWScontainsalargevolumeofinformation.Thisinformationisprovidedtocustomersthroughwhitepapers,reports,certifications,andotherthird-partyattestations.AWSprovidesITcontrolinformationtocustomersintwoways:specificcontroldefinitionandgeneralcontrolstandardcompliance.
AWSprovidesdocumentationaboutitsriskandcomplianceprogram.ThisdocumentationcanenablecustomerstoincludeAWScontrolsintheirgovernanceframeworks.Thethreecoreareasoftheriskandcomplianceprogramareriskmanagement,controlenvironment,andinformationsecurity.
AWShasachievedanumberofinternationallyrecognizedcertificationsandaccreditationsthatdemonstrateAWScompliancewiththird-partyassuranceframeworks,including:
FedRAMP
FIPS140–2
FISMAandDIACAP
HIPAA
ISO9001
ISO27001
ITAR
PCIDSSLevel1
SOC1/ISAE3402
SOC2
SOC3
AWSisconstantlylisteningtocustomersandexaminingothercertificationsforthefuture.
ExamEssentialsUnderstandthesharedresponsibilitymodel.Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestophysicalinfrastructure.
RememberthatITgovernanceisthecustomer’sresponsibility.Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowitsITisdeployed(on-premises,cloud,orhybrid).
UnderstandhowAWSprovidescontrolinformation.AWSprovidesITcontrolinformationtocustomersintwoways:viaspecificcontroldefinitionandthroughamoregeneralcontrolstandardcompliance.
RememberthatAWSisveryproactiveaboutriskmanagement.AWStakesriskmanagementveryseriously,soithasdevelopedabusinessplantoidentifyanyrisksandtoimplementcontrolstomitigateormanagethoserisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandthenimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.
Rememberthatthecontrolenvironmentisnotjustabouttechnology.TheAWScontrolenvironmentconsistsofpolicies,processes,andcontrolactivities.Thiscontrolenvironmentincludespeople,processes,andtechnology.
Rememberthekeyreports,certifications,andthird-partyattestations.Thekeyreports,certifications,andthird-partyattestationsinclude,butarenotlimitedto,thefollowing:
FedRAMP
FIPS140–2
FISMAandDIACAP
HIPAA
ISO9001
ISO27001
ITAR
PCIDSSLevel1
SOC1/ISAE3402
SOC2
SOC3
ReviewQuestions1. AWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughavarietyofdifferentmechanisms.Whichofthefollowingarevalidmechanisms?(Choose3answers)
A. Obtainingindustrycertificationsandindependentthird-partyattestations
B. PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs
C. Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)
D. Allowingcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,andseniorstaff
2. WhichofthefollowingstatementsistruewhenitcomestotheAWSsharedresponsibilitymodel?
A. Thesharedresponsibilitymodelislimitedtosecurityconsiderationsonly;itdoesnotextendtoITcontrols.
B. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithSOC1TypeII.
C. Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.
D. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithISO27001.
3. AWSprovidesITcontrolinformationtocustomersinwhichofthefollowingways?
A. Byusingspecificcontroldefinitionsorthroughgeneralcontrolstandardcompliance
B. ByusingspecificcontroldefinitionsorthroughSAS70
C. ByusinggeneralcontrolstandardcomplianceandbycomplyingwithISO27001
D. BycomplyingwithISO27001andSOC1TypeII
4. Whichofthefollowingisavalidreport,certification,orthird-partyattestationforAWS?(Choose3answers)
A. SOC1
B. PCIDSSLevel1
C. SOC4
D. ISO27001
5. Whichofthefollowingstatementsistrue?
A. ITgovernanceisstillthecustomer’sresponsibility,despitedeployingtheirITestateontotheAWSplatform.
B. TheAWSplatformisPCIDSS-complianttoLevel1.Customerscandeploytheirwebapplicationstothisplatform,andtheywillbePCIDSS-compliantautomatically.
C. ThesharedresponsibilitymodelappliestoITsecurityonly;itdoesnotrelatetogovernance.
D. AWSdoesn’ttakeriskmanagementveryseriously,andit’suptothecustomertomitigateriskstotheAWSinfrastructure.
6. WhichofthefollowingstatementsistruewhenitcomestotheriskandcomplianceadvantagesoftheAWSenvironment?
A. WorkloadsmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations.
B. ThecriticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthenon-criticalcomponentsdonot.
C. Thenon-criticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthecriticalcomponentsdonot.
D. Few,many,orallcomponentsofaworkloadcanbemovedtotheAWSCloud,butitisthecustomer’sresponsibilitytoensurethattheirentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.
7. WhichofthefollowingstatementsbestdescribesanAvailabilityZone?
A. EachAvailabilityZoneconsistsofasinglediscretedatacenterwithredundantpowerandnetworking/connectivity.
B. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithredundantpowerandnetworking/connectivity.
C. EachAvailabilityZoneconsistsofmultiplediscreteregions,eachwithasingledatacenterwithredundantpowerandnetworking/connectivity.
D. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithsharedpowerandredundantnetworking/connectivity.
8. WithregardtovulnerabilityscansandthreatassessmentsoftheAWSplatform,whichofthefollowingstatementsaretrue?(Choose2answers)
A. AWSregularlyperformsscansofpublic-facingendpointIPaddressesforvulnerabilities.
B. ScansperformedbyAWSincludecustomerinstances.
C. AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.
D. Customerscanperformtheirownscansatanytimewithoutadvancenotice.
9. WhichofthefollowingbestdescribestheriskandcompliancecommunicationresponsibilitiesofcustomerstoAWS?
A. AWSandcustomersbothcommunicatetheirsecurityandcontrolenvironment
informationtoeachotheratalltimes.
B. AWSpublishesinformationabouttheAWSsecurityandcontrolpracticesonline,anddirectlytocustomersunderNDA.CustomersdonotneedtocommunicatetheiruseandconfigurationstoAWS.
C. CustomerscommunicatetheiruseandconfigurationstoAWSatalltimes.AWSdoesnotcommunicateAWSsecurityandcontrolpracticestocustomersforsecurityreasons.
D. BothcustomersandAWSkeeptheirsecurityandcontrolpracticesentirelyconfidentialanddonotsharetheminordertoensurethegreatestsecurityforallparties.
10. Whenitcomestoriskmanagement,whichofthefollowingistrue?
A. AWSdoesnotdevelopastrategicbusinessplan;riskmanagementandmitigationisentirelytheresponsibilityofthecustomer.
B. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandimplementedcontrolstomitigateormanagethoserisks.Customersdonotneedtodevelopandmaintaintheirownriskmanagementplans.
C. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandhasimplementedcontrolstomitigateormanagethoserisks.Customersshouldalsodevelopandmaintaintheirownriskmanagementplanstoensuretheyarecompliantwithanyrelevantcontrolsandcertifications.
D. NeitherAWSnorthecustomerneedstoworryaboutriskmanagement,sonoplanisneededfromeitherparty.
11. TheAWScontrolenvironmentisinplaceforthesecuredeliveryofAWSCloudserviceofferings.WhichofthefollowingdoesthecollectivecontrolenvironmentNOTexplicitlyinclude?
A. People
B. Energy
C. Technology
D. Processes
12. WhoisresponsiblefortheconfigurationofsecuritygroupsinanAWSenvironment?
A. ThecustomerandAWSarebothjointlyresponsibleforensuringthatsecuritygroupsarecorrectlyandsecurelyconfigured.
B. AWSisresponsibleforensuringthatallsecuritygroupsarecorrectlyandsecurelyconfigured.Customersdonotneedtoworryaboutsecuritygroupconfiguration.
C. NeitherAWSnorthecustomerisresponsiblefortheconfigurationofsecuritygroups;securitygroupsareintelligentlyandautomaticallyconfiguredusingtrafficheuristics.
D. AWSprovidesthesecuritygroupfunctionalityasaservice,butthecustomerisresponsibleforcorrectlyandsecurelyconfiguringtheirownsecuritygroups.
13. WhichofthefollowingisNOTarecommendedapproachforcustomerstryingtoachievestrongcomplianceandgovernanceoveranentireITcontrolenvironment?
A. Takeaholisticapproach:reviewinformationavailablefromAWStogetherwithallotherinformation,anddocumentallcompliancerequirements.
B. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.
C. Implementgenericcontrolobjectivesthatarenotspecificallydesignedtomeettheirorganization’scompliancerequirements.
D. Identifyanddocumentcontrolsownedbyallthirdparties.
Chapter14ArchitectureBestPracticesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
IntroductionForseveralyears,softwarearchitectshavecreatedandimplementedpatternsandbestpracticestobuildhighlyscalableapplications.Whethermigratingexistingapplicationstothecloudorbuildingnewapplicationsonthecloud,theseconceptsareevenmoreimportantbecauseofever-growingdatasets,unpredictabletrafficpatterns,andthedemandforfasterresponsetimes.
MigratingapplicationstoAWS,evenwithoutsignificantchanges,providesorganizationswiththebenefitsofasecuredandcost-efficientinfrastructure.Tomakethemostoftheelasticityandagilitypossiblewithcloudcomputing,however,SolutionsArchitectsneedtoevolvetheirarchitecturestotakefulladvantageofAWScapabilities.
Fornewapplications,AWScustomershavebeendiscoveringcloud-specificITarchitecturepatternsthatdriveevenmoreefficiencyandscalabilityfortheirsolutions.Thosenewarchitecturescansupportanythingfromreal-timeanalyticsofInternet-scaledatatoapplicationswithunpredictabletrafficfromthousandsofconnectedInternetofThings(IoT)ormobiledevices.ThisleavesendlesspossibilitiesforapplicationsarchitectedusingAWSbestpractices.
ThischapterhighlightsthetenetsofarchitecturebestpracticestoconsiderwhetheryouaremigratingexistingapplicationstoAWSordesigningnewapplicationsforthecloud.Thesetenetsinclude:
Designforfailureandnothingwillfail.
Implementelasticity.
Leveragedifferentstorageoptions.
Buildsecurityineverylayer.
Thinkparallel.
Loosecouplingsetsyoufree.
Don’tfearconstraints.
Understandingtheservicescoveredinthisbookinthecontextofthesepracticesiskeytosucceedingontheexam.
DesignforFailureandNothingFailsThefirstarchitecturebestpracticeforAWSisthefundamentalprincipleofdesigningforfailure.
Everythingfails,allthetime
—WernerVogels,CTO,AWS
Typically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.Asanexample,onegoalwhendesigningforfailurewouldbetoensureanapplicationsurviveswhentheunderlyingphysicalhardwareforoneoftheserversfails.
Let’stakealookatthesimplewebapplicationillustratedinFigure14.1.Thisapplicationhassomefundamentaldesignissuesforprotectingagainstcomponentfailures.Tostart,thereisnoredundancyorfailover,whichresultsinsinglepointsoffailure.
FIGURE14.1Simplewebapplicationarchitecture
Ifthesinglewebserverfails,thesystemfails.
Ifthesingledatabasefails,thesystemfails.
IftheAvailabilityZone(AZ)fails,thesystemfails.
Bottomline,therearetoomanyeggsinonebasket.
Nowlet’swalkthroughtransformingthissimpleapplicationintoamoreresilientarchitecture.Tobegin,wearegoingtoaddressthesinglepointsoffailureinthecurrentarchitecture.Singlepointsoffailurecanberemovedbyintroducingredundancy,whichishavingmultipleresourcesforthesametask.Redundancycanbeimplementedineitherstandbyoractivemode.
Instandbyredundancywhenaresourcefails,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Thesecondaryresourcecaneitherbelaunchedautomaticallyonlywhenneeded(toreducecost),oritcanbealreadyrunningidle(toacceleratefailoverandminimizedisruption).Standbyredundancyisoftenusedforstatefulcomponentssuchasrelationaldatabases.
Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,itcanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.
Toaddresstheredundancyissues,wewilladdanotherwebinstanceandaddastandbyinstanceforAmazonRelationalDatabaseService(AmazonRDS)toprovidehighavailabilityandautomaticfailover.ThekeyisthatwearegoingtoaddthenewresourcesinanotherAZ.AnAZconsistsofoneormorediscretedatacenters.AZswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherAZsinthesameregion.Thisallowsourapplicationtoreplicatedataacrossdatacentersinasynchronousmannersothatfailovercanbeautomatedandbetransparentfortheusers.
Additionally,wearegoingtoimplementactiveredundancybyswappingouttheElasticIPAddress(EIP)onourwebinstancewithanElasticLoadBalancer(ELB).TheELBallowsinboundrequeststobedistributedbetweenthewebinstances.NotonlywilltheELBhelpwithdistributingloadbetweenmultipleinstances,itwillalsostopsendingtraffictotheaffectedwebnodeifaninstancefailsitshealthchecks.Figure14.2showstheupdatedarchitecturewithredundancyforthewebapplication.
FIGURE14.2Updatedwebapplicationarchitecturewithredundancy
ThisMulti-AZarchitecturehelpstoensurethattheapplicationisisolatedfromfailuresinasingleAvailabilityZone.Infact,manyofthehigherlevelservicesonAWSareinherentlydesignedaccordingtotheMulti-AZprinciple.Forexample,AmazonSimpleStorageService(AmazonS3)andAmazonDynamoDBensurethatdataisredundantlystoredacrossmultiplefacilities.
Oneruleofthumbtokeepinmindwhendesigningarchitecturesinthecloudistobeapessimist;thatis,assumethingswillfail.Inotherwords,alwaysdesign,implement,anddeployforautomatedrecoveryfromfailure.
ImplementElasticityElasticityistheabilityofasystemtogrowtohandleincreasedload,whethergraduallyovertimeorinresponsetoasuddenchangeinbusinessneeds.Toachieveelasticity,itisimportantthatthesystembebuiltonascalablearchitecture.Sucharchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Thesearchitecturesshouldprovidescaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
ScalingVerticallyVerticalscalingtakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddrive,morememory,orafasterCPU).OnAmazonElasticComputeCloud(AmazonEC2),thiscaneasilybeachievedbystoppinganinstanceandresizingittoaninstancetypethathasmoreRAM,CPU,I/O,ornetworkingcapabilities.Verticalscalingwilleventuallyhitalimit,anditisnotalwaysacost-efficientorhighlyavailableapproach.Evenso,itisveryeasytoimplementandcanbesufficientformanyusecases,especiallyintheshortterm.
ScalingHorizontallyHorizontalscalingtakesplacethroughanincreaseinthenumberofresources(forexample,addingmoreharddrivestoastoragearrayoraddingmoreserverstosupportanapplication).ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Notallarchitecturesaredesignedtodistributetheirworkloadtomultipleresources,anditisimportanttounderstandsystemcharacteristicsthatcanaffectasystem’sabilitytoscalehorizontally.Onekeycharacteristicistheimpactofstatelessandstatefularchitectures.
StatelessApplicationsWhenusersorservicesinteractwithanapplication,theywilloftenperformaseriesofinteractionsthatformasession.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontally,becauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.Becausenosessiondataneedstobesharedbetweensystemresources,computeresourcescanbeaddedasneeded.Whenexcesscapacityisnolongerrequired,anyindividualresourcecanbesafelyterminated.Thoseresourcesdonotneedtobeawareofthepresenceoftheirpeers;allthatisrequiredisawaytodistributetheworkloadtothem.
Let’sassumethatthewebapplicationweusedintheprevioussectionisastatelessapplicationwithunpredictabledemand.Inorderforourwebinstancestomeetthepeaksandvalleysassociatedwithourdemandprofile,weneedtoscaleelastically.Agreatwayto
introduceelasticityandhorizontalscalingisbyleveragingAutoScalingforwebinstances.AnAutoScalinggroupcanautomaticallyaddAmazonEC2instancestoanapplicationinresponsetoheavytrafficandremovethemwhentrafficslows.Figure14.3showsourwebapplicationarchitectureaftertheintroductionofanAutoScalinggroup.
FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling
StatelessComponentsInpractice,mostapplicationsneedtomaintainsomekindofstateinformation.Forexample,webapplicationsneedtotrackwhetherauserissignedin,orelsetheymightpresentpersonalizedcontentbasedonpreviousactions.Youcanstillmakeaportionofthesearchitecturesstatelessbynotstoringstateinformationlocallyonahorizontally-scalingresource,asthoseresourcescanappearanddisappearasthesystemscalesupanddown.
Forexample,webapplicationscanuseHTTPcookiestostoreinformationaboutasessionattheclient’sbrowser(suchasitemsintheshoppingcart).Thebrowserpassesthatinformationbacktotheserverateachsubsequentrequestsothattheapplicationdoesnotneedtostoreit.However,therearetwodrawbackswiththisapproach.First,thecontentoftheHTTPcookiescanbetamperedwithattheclientside,soyoushouldalwaystreatthemasuntrusteddatathatneedstobevalidated.Second,HTTPcookiesaretransmittedwitheveryrequest,whichmeansthatyoushouldkeeptheirsizetoaminimumtoavoidunnecessary
latency.
ConsideronlystoringauniquesessionidentifierinaHTTPcookieandstoringmoredetailedusersessioninformationserver-side.Mostprogrammingplatformsprovideanativesessionmanagementmechanismthatworksthisway;however,thesemanagementmechanismsoftenstorethesessioninformationlocallybydefault.Thiswouldresultinastatefularchitecture.Acommonsolutiontothisproblemistostoreusersessioninformationinadatabase.AmazonDynamoDBisagreatchoiceduetoitsscalability,highavailability,anddurabilitycharacteristics.Formanyplatforms,thereareopensource,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.
StatefulComponentsInevitably,therewillbelayersofyourarchitecturethatyouwon’tturnintostatelesscomponents.First,bydefinition,databasesarestateful.Inaddition,manylegacyapplicationsweredesignedtorunonasingleserverbyrelyingonlocalcomputeresources.Otherusecasesmightrequireclientdevicestomaintainaconnectiontoaspecificserverforprolongedperiodsoftime.Forexample,real-timemultiplayergamingmustoffermultipleplayersaconsistentviewofthegameworldwithverylowlatency.Thisismuchsimplertoachieveinanon-distributedimplementationwhereparticipantsareconnectedtothesameserver.
DeploymentAutomationWhetheryouaredeployinganewenvironmentfortestingorincreasingcapacityofanexistingsystemtocopewithextraload,youwillnotwanttosetupnewresourcesmanuallywiththeirconfigurationandcode.Itisimportantthatyoumakethisanautomatedandrepeatableprocessthatavoidslongleadtimesandisnotpronetohumanerror.Automatingthedeploymentprocessandstreamliningtheconfigurationandbuildprocessiskeytoimplementingelasticity.Thiswillensurethatthesystemcanscalewithoutanyhumanintervention.
AutomateYourInfrastructureOneofthemostimportantbenefitsofusingacloudenvironmentistheabilitytousethecloud’sApplicationProgramInterfaces(APIs)toautomateyourdeploymentprocess.Itisrecommendedthatyoutakethetimetocreateanautomateddeploymentprocessearlyonduringthemigrationprocessandnotwaituntiltheend.Creatinganautomatedandrepeatabledeploymentprocesswillhelpreduceerrorsandfacilitateanefficientandscalableupdateprocess.
BootstrapYourInstancesWhenyoulaunchanAWSresourcelikeanAmazonEC2instance,youstartwithadefaultconfiguration.YoucanthenexecuteautomatedbootstrappingactionsasdescribedinChapter3,“AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS).”Letyourinstancesaskaquestionatboot:“WhoamIandwhatismyrole?”Everyinstanceshouldhavearoletoplayintheenvironment(suchasdatabaseserver,applicationserver,orslaveserverinthecaseofawebapplication).RolesmaybeappliedduringlaunchandcaninstructtheAMIonthestepstotakeafterithasbooted.Onboot,aninstanceshouldgrabthenecessaryresources(forexample,code,scripts,orconfiguration)basedontherole
and“attach”itselftoaclustertoserveitsfunction.
Benefitsofbootstrappingyourinstancesinclude:
Recreateenvironments(forexample,development,staging,production)withfewclicksandminimaleffort.
Maintainmorecontroloveryourabstract,cloud-basedresources.
Reducehuman-induceddeploymenterrors.
Createaself-healingandself-discoverableenvironmentthatismoreresilienttohardwarefailure.
Designingintelligentelasticcloudarchitectures,whereinfrastructurerunsonlywhenyouneedit,isanart.AsaSolutionsArchitect,elasticityshouldbeoneofthefundamentaldesignrequirementswhendefiningyourarchitectures.Herearesomequestionstokeepinmindwhendesigningcloudarchitectures:
Whatcomponentsorlayersinmyapplicationarchitecturecanbecomeelastic?
Whatwillittaketomakethatcomponentelastic?
Whatwillbetheimpactofimplementingelasticitytomyoverallsystemarchitecture?
LeverageDifferentStorageOptionsAWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Forexample,serviceslikeAmazonElasticBlockStorage(AmazonEBS),AmazonS3,AmazonRDS,andAmazonCloudFrontprovideawiderangeofchoicestomeetdifferentstorageneeds.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.
OneSizeDoesNotFitAllYourworkloadandusecaseshoulddictatewhatstorageoptiontoleverageinAWS.Noonestorageoptionissuitableforallsituations.Table14.1providesalistofsomestoragescenariosandwhichAWSstorageoptionyoushouldconsidertomeettheidentifiedneed.Thistableisnotmeanttobeanall-encompassingcaptureofscenarios,butanexampleguide.
TABLE14.1StorageScenariosandAWSStorageOptions
SampleScenario StorageOption
Yourwebapplicationneedslarge-scalestoragecapacityandperformance.
-or- AmazonS3
Youneedcloudstoragewithhighdatadurabilitytosupportbackupandactivearchivesfordisasterrecovery.
Yourequirecloudstoragefordataarchivingandlong-termbackup. AmazonGlacier
Yourequireacontentdeliverynetworktodeliverentirewebsites,includingdynamic,static,streaming,andinteractivecontentusingaglobalnetworkofedgelocations.
AmazonCloudFront
YourequireafastandflexibleNoSQLdatabasewithaflexibledatamodelandreliableperformance.
AmazonDynamoDB
Youneedreliableblockstoragetorunmission-criticalapplicationssuchasOracle,SAP,MicrosoftExchange,andMicrosoftSharePoint.
AmazonEBS
Youneedahighlyavailable,scalable,andsecureMySQLdatabasewithoutthetime-consumingadministrativetasks.
AmazonRDS
Youneedafast,powerful,fully-managed,petabyte-scaledatawarehousetosupportbusinessanalyticsofyoure-commerceapplication.
AmazonRedshift
YouneedaRedisclustertostoresessioninformationforyourwebapplication.
AmazonElastiCache
YouneedacommonfilesystemforyourapplicationthatissharedbetweenmorethanoneAmazonEC2instance.
AmazonElasticFileSystem(AmazonEFS)
Let’sreturntooursamplewebapplicationarchitectureandshowhowdifferentstorageoptionscanbeleveragedtooptimizecostandarchitecture.WecanstartbymovinganystaticassetsfromourwebinstancestoAmazonS3,andthenservethoseobjectsviaAmazon
CloudFront.Thesestaticassetswouldincludealloftheimages,videos,CSS,JavaScript,andanyotherheavystaticcontentthatiscurrentlydeliveredviathewebinstances.ByservingthesefilesviaanAmazonS3originwithglobalcachinganddistributionviaAmazonCloudFront,theloadwillbereducedonthewebinstancesandallowthewebtierfootprinttobereduced.Figure14.4showstheupdatedarchitectureforoursamplewebapplication.
FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront
Tofurtheroptimizeourstorageoptions,thesessioninformationforoursamplewebapplicationcanbemovedtoAmazonDynamoDBoreventoAmazonElastiCache.Forourscenario,wewilluseAmazonDynamoDBtostorethesessioninformationbecausetheAWSSoftwareDevelopmentKits(SDK)provideconnectorsformanypopularwebdevelopmentframeworksthatmakestoringsessioninformationinAmazonDynamoDBeasy.Byremovingsessionstatefromourwebtier,thewebinstancesdonotlosesessioninformationwhenhorizontalscalingfromAutoScalinghappens.Additionally,wewillleverageAmazonElastiCachetostorecommondatabasequeryresults,therebytakingtheloadoffofourdatabasetier.Figure14.5showstheadditionofAmazonElastiCacheandAmazonDynamoDBtoourwebapplicationarchitecture.
FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB
AsaSolutionsArchitect,youwillultimatelycometoapointwhereyouneedtodecideanddefinewhatyourstoragerequirementsareforthedatathatyouneedtostoreonAWS.Thereareavarietyofoptionstochoosefromdependingonyourneeds,eachwithdifferentattributesrangingfromdatabasestorage,blockstorage,highlyavailableobject-basedstorage,andevencoldarchivalstorage.Ultimately,yourworkloadrequirementswilldictatewhichstorageoptionmakessenseforyourusecase.
BuildSecurityinEveryLayerWithtraditionalIT,infrastructuresecurityauditingwouldoftenbeaperiodicandmanualprocess.TheAWSCloudinsteadprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.
BestPractice
Inventoryyourdata,prioritizeitbyvalue,andapplytheappropriatelevelofencryptionforthedataintransitandatrest.
MostofthesecuritytoolsandtechniqueswithwhichyoumightalreadybefamiliarinatraditionalITinfrastructurecanbeusedinthecloud.Atthesametime,AWSallowsyoutoimproveyoursecurityinavarietyofways.AWSisaplatformthatallowsyoutoformalizethedesignofsecuritycontrolsintheplatformitself.ItsimplifiessystemuseforadministratorsandthoserunningITandmakesyourenvironmentmucheasiertoauditinacontinuousmanner.
UseAWSFeaturesforDefenseinDepthAWSprovidesawealthoffeaturesthathelpSolutionsArchitectsbuilddefenseindepth.Startingatthenetworklevel,youcanbuildanAmazonVirtualPrivateCloud(AmazonVPC)topologythatisolatespartsoftheinfrastructurethroughtheuseofsubnets,securitygroups,androutingcontrols.ServiceslikeAWSWebApplicationFirewall(AWSWAF)canhelpprotectyourwebapplicationsfromSQLinjectionandothervulnerabilitiesinyourapplicationcode.Foraccesscontrol,youcanuseAWSIdentityandAccessManagement(IAM)todefineagranularsetofpoliciesandassignthemtousers,groups,andAWSresources.Finally,theAWSplatformoffersabreadthofoptionsforprotectingdatawithencryption,whetherthedataisintransitoratrest.
UnderstandingthesecurityfeaturesofferedbyAWSisimportantfortheexam,anditiscoveredindetailinChapter12,“SecurityonAWS.”
OffloadSecurityResponsibilitytoAWSAWSoperatesunderasharedresponsibilitymodel,whereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andyouareresponsibleforsecuringtheworkloadsyoudeployonAWS.Thisway,youcanreducethescopeofyourresponsibilityandfocusonyourcorecompetenciesthroughtheuseofAWSmanagedservices.Forexample,whenyou
usemanagedservicessuchasAmazonRDS,AmazonElastiCache,AmazonCloudSearch,andothers,securitypatchesbecometheresponsibilityofAWS.Thisnotonlyreducesoperationaloverheadforyourteam,butitcouldalsoreduceyourexposuretovulnerabilities.
ReducePrivilegedAccessAnothercommonsourceofsecurityriskistheuseofserviceaccounts.Inatraditionalenvironment,serviceaccountswouldoftenbeassignedlong-termcredentialsstoredinaconfigurationfile.OnAWS,youcaninsteaduseIAMrolestograntpermissionstoapplicationsrunningonAmazonEC2instancesthroughtheuseoftemporarysecuritytokens.Thosecredentialsareautomaticallydistributedandrotated.Formobileapplications,theuseofAmazonCognitoallowsclientdevicestogetcontrolledaccesstoAWSresourcesviatemporarytokens.ForAWSManagementConsoleusers,youcansimilarlyprovidefederatedaccessthroughtemporarytokensinsteadofcreatingIAMusersinyourAWSaccount.Inthatway,anemployeewholeavesyourorganizationandisremovedfromyourorganization’sidentitydirectorywillalsoloseaccesstoyourAWSaccount.
BestPractice
Followthestandardsecuritypracticeofgrantingleastprivilege—thatis,grantingonlythepermissionsrequiredtoperformatask—toIAMusers,groups,roles,andpolicies.
SecurityasCodeTraditionalsecurityframeworks,regulations,andorganizationalpoliciesdefinesecurityrequirementsrelatedtothingssuchasfirewallrules,networkaccesscontrols,internal/externalsubnets,andoperatingsystemhardening.YoucanimplementtheseinanAWSenvironmentaswell,butyounowhavetheopportunitytocapturethemallinascriptthatdefinesa“GoldenEnvironment.”ThismeansthatyoucancreateanAWSCloudFormationscriptthatcapturesandreliablydeploysyoursecuritypolicies.Securitybestpracticescannowbereusedamongmultipleprojectsandbecomepartofyourcontinuousintegrationpipeline.Youcanperformsecuritytestingaspartofyourreleasecycleandautomaticallydiscoverapplicationgapsanddriftfromyoursecuritypolicies.
Additionally,forgreatercontrolandsecurity,AWSCloudFormationtemplatescanbeimportedas“products”intoAWSServiceCatalog.Thisenablescentralizedmanagementofresourcestosupportconsistentgovernance,security,andcompliancerequirementswhileenablinguserstodeployquicklyonlytheapprovedITservicestheyneed.YouapplyIAMpermissionstocontrolwhocanviewandmodifyyourproducts,andyoudefineconstraintstorestrictthewaysthatspecificAWSresourcescanbedeployedforaproduct.
Real-TimeAuditingTestingandauditingyourenvironmentiskeytomovingfastwhilestayingsafe.Traditionalapproachesthatinvolveperiodic(andoftenmanualorsample-based)checksarenotsufficient,especiallyinagileenvironmentswherechangeisconstant.OnAWS,youcanimplementcontinuousmonitoringandautomationofcontrolstominimizeexposuretosecurityrisks.ServiceslikeAWSConfigRules,AmazonInspector,andAWSTrustedAdvisor
continuallymonitorforcomplianceorvulnerabilitiesgivingyouaclearoverviewofwhichITresourcesareorarenotincompliance.WithAWSConfigRules,youwillalsoknowifsomecomponentwasoutofcomplianceevenforabriefperiodoftime,makingbothpoint-in-timeandperiod-in-timeauditsveryeffective.YoucanimplementextensiveloggingforyourapplicationsusingAmazonCloudWatchLogsandfortheactualAWSAPIcallsbyenablingAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallstosupportedAWSCloudservicesinyourAWSaccountandcreatesalogfile.AWSCloudTraillogsarestoredinanimmutablemannertoanAmazonS3bucketofyourchoice.Theselogscanthenbeautomaticallyprocessedeithertonotifyoreventakeactiononyourbehalf,protectingyourorganizationfromnon-compliance.YoucanuseAWSLambda,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,orthird-partytoolsfromtheAWSMarketplacetoscanlogstodetectthingslikeunusedpermissions,overuseofprivilegedaccounts,usageofkeys,anomalouslogins,policyviolations,andsystemabuse.
WhileAWSprovidesanexcellentservicemanagementlayeraroundinfrastructureorplatformservices,organizationsarestillresponsibleforprotectingtheconfidentiality,integrity,andavailabilityoftheirdatainthecloud.AWSprovidesarangeofsecurityservicesandarchitecturalconceptsthatorganizationscanusetomanagesecurityoftheirassetsanddatainthecloud.
ThinkParallelThecloudmakesparallelizationeffortless.Whetheritisrequestingdatafromthecloud,storingdatatothecloud,orprocessingdatainthecloud,asaSolutionsArchitectyouneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.
Whenitcomestoaccessing(retrievingandstoring)data,thecloudisdesignedtohandlemassivelyparalleloperations.Inordertoachievemaximumperformanceandthroughput,youshouldleveragerequestparallelization.Multi-threadingyourrequestsbyusingmultipleconcurrentthreadswillstoreorfetchthedatafasterthanrequestingitsequentially.Hence,ageneralbestpracticefordevelopingcloudapplicationsistodesigntheprocessesforleveragingmulti-threading.
Whenitcomestoprocessingorexecutingrequestsinthecloud,itbecomesevenmoreimportanttoleverageparallelization.Ageneralbestpractice,inthecaseofawebapplication,istodistributetheincomingrequestsacrossmultipleasynchronouswebserversusingaloadbalancer.Inthecaseofabatchprocessingapplication,youcanleverageamasternodewithmultipleslaveworkernodesthatprocessestasksinparallel(asindistributedprocessingframeworkslikeHadoop).
Thebeautyofthecloudshineswhenyoucombineelasticityandparallelization.YourcloudapplicationcanbringupaclusterofcomputeinstancesthatareprovisionedwithinminuteswithjustafewAPIcalls,performajobbyexecutingtasksinparallel,storetheresults,andthenterminatealloftheinstances.
LooseCouplingSetsYouFreeAsapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.
BestPractice
Designsystemarchitectureswithindependentcomponentsthatare“blackboxes.”Themorelooselysystemcomponentsarecoupled,thelargertheyscale.
Awaytoreduceinterdependenciesinasystemistoallowthevariouscomponentstointeractwitheachotheronlythroughspecific,technology-agnosticinterfaces(suchasRESTfulAPIs).Inthisway,thetechnicalimplementationdetailsarehiddensothatteamscanmodifytheunderlyingimplementationwithoutaffectingothercomponents.Aslongasthoseinterfacesmaintainbackwardcompatibility,thedifferentcomponentsthatanoverallsystemiscomprisedofremaindecoupled.
AmazonAPIGatewayprovidesawaytoexposewell-definedinterfaces.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.IthandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
Asynchronousintegrationisacommonpatternforimplementingloosecouplingbetweenservices.Thismodelissuitableforanyinteractionthatdoesnotneedanimmediateresponseandwhereanacknowledgementthatarequesthasbeenregisteredwillsuffice.Itinvolvesonecomponentthatgenerateseventsandanotherthatconsumesthem.Thetwocomponentsdonotintegratethroughdirectpoint-to-pointinteraction,butusuallythroughanintermediatedurablestoragelayer,suchasanAmazonSimpleQueueService(AmazonSQS)queueorastreamingdataplatformlikeAmazonKinesis.Figure14.6showsthelogicalflowfortightandlooselycoupledarchitectures.
FIGURE14.6Tightandloosecoupling
Leveragingasynchronousintegrationdecouplesthetwocomponentsandintroducesadditionalresiliency.Forexample,ifaprocessthatisreadingmessagesfromthequeuefails,messagescanstillbeaddedtothequeuetobeprocessedwhenthesystemrecovers.Italsoallowsyoutoprotectalessscalableback-endservicefromfront-endspikesandfindtherighttradeoffbetweencostandprocessinglag.Forexample,youcandecidethatyoudon’tneedtoscaleyourdatabasetoaccommodateforanoccasionalpeakofwritequeriesifyoueventuallyprocessthosequeriesasynchronouslywithsomedelay.Finally,bymovingslowoperationsoffofinteractiverequestpaths,youcanalsoimprovetheend-userexperience.
SampleLooselyCoupledArchitecture
Acompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Theserviceprovidesenduserswithaneasy-to-usewebsitetosubmitvideosfortranscoding.ThevideosarestoredinAmazonS3,andamessage(“therequestmessage”)isplacedinanAmazonSQSqueue(“theincomingqueue”)withapointertothevideoandtothetargetvideoformatinthemessage.Thetranscodingengine,runningonasetofAmazonEC2instances,readstherequestmessagefromtheincomingqueue,retrievesthevideofromAmazonS3usingthepointer,andtranscodesthevideointothetargetformat.TheconvertedvideoisputbackintoAmazonS3andanothermessage(“theresponsemessage”)isplacedinanotherAmazonSQSqueue(“theoutgoingqueue”)withapointertotheconvertedvideo.Atthesametime,metadataaboutthevideo(suchasformat,datecreated,andlength)canbeindexedintoAmazonDynamoDBforeasyquerying.Duringthiswholeworkflow,adedicatedAmazonEC2instancecanconstantlymonitortheincomingqueueand,basedonthenumberofmessagesintheincomingqueue,candynamicallyadjustthenumberoftranscodingAmazonEC2instancestomeetcustomers’responsetimerequirements.
Applicationsthataredeployedasasetofsmallerserviceswilldependontheabilityofthoseservicestointeractwitheachother.Becauseeachofthoseservicescouldberunningacrossmultiplecomputeresources,thereneedstobeawayforeachservicetobeaddressed.Forexample,inatraditionalinfrastructure,ifyourfront-endwebserviceneededtoconnectwithyourback-endwebservice,youcouldhardcodetheIPaddressofthecomputeresourcewherethisservicewasrunning.Althoughthisapproachcanstillworkoncloudcomputing,ifthoseservicesaremeanttobelooselycoupled,theyshouldbeabletobeconsumedwithoutpriorknowledgeoftheirnetworktopologydetails.Apartfromhidingcomplexity,thisalsoallowsinfrastructuredetailstochangeatanytime.Inordertoachievethisagility,youwillneedsomewayofimplementingservicediscovery.Servicediscoverymanageshowprocessesandservicesinanenvironmentcanfindandtalktooneanother.Itinvolvesadirectoryofservices,registeringservicesinthatdirectory,andthenbeingabletolookupandconnecttoservicesinthatdirectory.
Loosecouplingisacrucialelementifyouwanttotakeadvantageoftheelasticityofcloudcomputing,wherenewresourcescanbelaunchedorterminatedatanypointintime.Byarchitectingsystemcomponentswithouttightdependenciesoneachother,applicationsarepositionedtotakefulladvantageofthecloud’sscale.
Don’tFearConstraintsWhenorganizationsdecidetomoveapplicationstothecloudandtrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveonpremises.Forexample,observationsmayinclude“ClouddoesnotprovideXamountofRAMinaserver”or“MydatabaseneedstohavemoreIOPSthanwhatIcangetinasingleinstance.”
Youshouldunderstandthatthecloudprovidesabstractresourcesthatbecomepowerfulwhenyoucombinethemwiththeon-demandprovisioningmodel.Youshouldnotbeafraidandconstrainedwhenusingcloudresourcesbecauseevenifyoumightnotgetanexactreplicaofyouron-premiseshardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.
Whenyoupushupagainstaconstraint,thinkaboutwhatit’stellingyouaboutapossibleunderlyingarchitecturalissue.Forexample,ifAWSdoesnothaveanAmazonRDSinstancetypewithenoughRAM,considerwhetheryouhaveinadvertentlytrappedyourselfinascale-upparadigm.ConsiderchangingtheunderlyingtechnologyandusingascalabledistributedcachelikeAmazonElastiCacheorshardingyourdataacrossmultipleservers.Ifitisaread-heavyapplication,youcandistributethereadloadacrossafleetofsynchronizedslaves.
Organizationsarechallengedwithdeveloping,managing,andoperatingapplicationsatscalewithawidevarietyofunderlyingtechnologycomponents.WithtraditionalITinfrastructure,companieswouldhavetobuildandoperateallofthosecomponents.Whilethesecomponentsmaynotmapdirectlyintoacloudenvironment,AWSoffersabroadsetofcomplementaryservicesthathelporganizationsovercometheseconstraintsandtosupportagilityandlowerITcosts.
OnAWS,thereisasetofmanagedservicesthatprovidesbuildingblocksfordeveloperstoleverageforpoweringtheirapplications.Thesemanagedservicesincludedatabases,machinelearning,analytics,queuing,search,email,notifications,andmore.Forexample,withAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.ThesameappliestoAmazonS3,whereyoucanstoreasmuchdataasrequiredandaccessitwhenneededwithouthavingtothinkaboutcapacity,harddiskconfigurations,replication,andotherhardware-basedconsiderations.
TherearemanyotherexamplesofmanagedservicesonAWS,suchasAmazonCloudFrontforcontentdelivery,ElasticLoadBalancingforloadbalancing,AmazonDynamoDBforNoSQLdatabases,AmazonCloudSearchforsearchworkloads,AmazonElasticTranscoderforvideoencoding,AmazonSimpleEmailService(AmazonSES)forsendingandreceivingemails,andmore.
ArchitecturesthatdonotleveragethebreadthofAWSCloudservices(forexample,theyuseonlyAmazonEC2)mightbeself-constrainingtheabilitytomakethemostofcloudcomputing.Thisoversightoftenleadstomissingkeyopportunitiestoincreasedeveloperproductivityandoperationalefficiency.Whenorganizationscombineon-demandprovisioning,managedservices,andtheinherentflexibilityofthecloud,theyrealizethatapparentconstraintscanactuallybebrokendowninwaysthatwillactuallyimprovethe
scalabilityandoverallperformanceoftheirsystems.
SummaryTypically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.
Traditionalinfrastructuregenerallynecessitatespredictingtheamountofcomputingresourcesyourapplicationwilluseoveraperiodofseveralyears.Ifyouunderestimate,yourapplicationswillnothavethehorsepowertohandleunexpectedtraffic,potentiallyresultingincustomerdissatisfaction.Ifyouoverestimate,you’rewastingmoneywithsuperfluousresources.Theon-demandandelasticnatureofthecloudenablestheinfrastructuretobecloselyalignedwiththeactualdemand,therebyincreasingoverallutilizationandreducingcost.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
TheAWSCloudprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.
BecauseAWSmakesparallelizationeffortless,SolutionsArchitectsneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.
Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.SolutionsArchitectsshoulddesignsystemsinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.
Whenorganizationstrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveon-premises.Organizationsshouldnotbeafraidandfeelconstrainedwhenusingcloudresources.Evenifyoumightnotgetanexactreplicaofyourhardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.
Byfocusingonconceptsandbestpractices—likedesigningforfailure,decouplingtheapplicationcomponents,understandingandimplementingelasticity,combiningitwithparallelization,andintegratingsecurityineveryaspectoftheapplicationarchitecture—SolutionsArchitectscanunderstandthedesignconsiderationsnecessaryforbuildinghighlyscalablecloudapplications.
Aseachusecaseisunique,SolutionsArchitectsneedtoremaindiligentinevaluatinghowbestpracticesandpatternscanbeappliedtoeachimplementation.Thetopicofcloudcomputingarchitecturesisbroadandcontinuouslyevolving.
ExamEssentialsUnderstandhighlyavailablearchitectures.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.
Understandredundancy.Redundancycanbeimplementedineitherstandbyoractivemode.Whenaresourcefailsinstandbyredundancy,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,activeredundancycanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.
Understandelasticity.Elasticarchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Itisimportanttobuildelasticsystemsontopofascalablearchitecture.Thesearchitecturesshouldscaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
Understandverticalscaling.Scalingverticallytakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddriveorafasterCPU).Thiswayofscalingcaneventuallyhitalimit,anditisnotalwaysacostefficientorhighlyavailableapproach.
Understandhorizontalscaling.Scalinghorizontallytakesplacethroughanincreaseinthenumberofresources.ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Itisimportanttounderstandtheimpactofstatelessandstatefularchitecturesbeforeimplementinghorizontalscaling.
Understandstatelessapplications.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontallybecauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.
Understandloosecoupling.Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedas“blackboxes”toreduceinterdependenciessothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.Themorelooselysystemcomponentsarecoupled,thelargertheyscale.
UnderstandthedifferentstorageoptionsinAWS.AWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.
ExercisesInthissection,youwillimplementaresilientapplicationleveragingsomeofthebestpracticesoutlinedinthischapter.YouwillbuildthearchitecturedepictedinFigure14.7inthefollowingseriesofexercises.
FIGURE14.7Samplewebapplicationforchapterexercises
Forassistanceincompletingthefollowingexercises,referencethefollowinguserguides:
AmazonVPC—http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/
GetStarted.html
AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
AmazonRDS(MySQL)—http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html
EXERCISE14.1
CreateaCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanAmazonVPCwithaClasslessInter-DomainRouting(CIDR)blockequalto192.168.0.0/16,anametagofCh14—VPC,anddefaulttenancy.
EXERCISE14.2
CreateanInternetGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanInternetgatewaywithanametagofCh14–IGW.
4. AttachtheCh14–IGWInternetgatewaytotheAmazonVPCfromExercise14.1.
EXERCISE14.3
UpdatetheMainRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetoAmazonVPCconsole.
3. LocatethemainroutetablefortheAmazonVPCfromExercise14.1.
4. UpdatetheroutetablenametagtoavalueofCh14—MainRouteTable.
5. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheInternetgatewayfromExercise14.2.
EXERCISE14.4
CreatePublicSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofCh14—PublicSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).
4. CreateasubnetwithaCIDRblockequalto192.168.3.0/24andanametagofCh14—PublicSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnetthatisdifferentfromtheonepreviouslyspecified(forexample,US-East-1b).
EXERCISE14.5
CreateaNATGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateaNetworkAddressTranslation(NAT)gatewayintheAmazonVPCfromExercise14.1withintheCh14—PublicSubnet1subnetfromExercise14.4.
EXERCISE14.6
CreateaPrivateRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreatearoutetablefortheAmazonVPCfromExercise14.1withanametagofCh14—PrivateRouteTable.
4. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheNATgatewayfromExercise14.5.
EXERCISE14.7
CreatePrivateSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofCh14—PrivateSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet1(forexample,US-East-1a).
4. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.
5. CreateasubnetwithaCIDRblockequalto192.168.4.0/24andanametagofCh14—PrivateSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet2(forexample,US-East-1b).
6. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.
EXERCISE14.8
CreateSecurityGroupsforEachApplicationTier1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanAmazonVPCsecuritygroupfortheELBwithanametagandgrouptabofCh14-ELB-SGandadescriptionofLoadbalancersecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceof0.0.0.0/0.
4. CreateanAmazonVPCsecuritygroupforthewebserverswithanametagandgrouptabofCh14-WebServer-SGandadescriptionofWebserversecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceoftheCh14-ELB-SGsecuritygroup.YoumaywanttoaddanotherinboundruleofTypeSSH,aprotocolofTCP,aportrangeof22,andasourceofyourIPaddresstoprovidesecureaccesstomanagetheservers.
5. CreateanAmazonVPCsecuritygroupfortheAmazonRDSMySQLdatabasewithanametagandgrouptabofCh14-DB-SGandadescriptionofDatabasesecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeMYSQL/Aurora,aprotocolofTCP,aportrangeof3306,andasourceoftheCh14-WebServer-SGsecuritygroup.
EXERCISE14.9
CreateaMySQLMulti-AZAmazonRDSInstance1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRDSconsole.
3. CreateaDBsubnetgroupwithanameofCh14-SubnetGroupandadescriptionofSubnetgroupforCh14exercises.CreatetheDBsubnetgroupintheAmazonVPCfromExercise14.1withtheprivatesubnetsfromExercise14.7.
4. LaunchaMySQLAmazonRDSinstancewiththefollowingcharacteristics:
DBInstanceClass:db.t2.small
Multi-AZDeployment:yes
AllocatedStorage:nolessthan5GB
DBInstanceIdentifier:ch14db
MasterUserName:yourchoice
MasterPassword:yourchoice
VPC:theAmazonVPCfromExercise14.1
DBSecurityGroup:Ch14-SubnetGroup
PubliclyAccessible:No
VPCSecurityGroup:Ch14-DB-SG
DatabaseName:appdb
DatabasePort:3306
EXERCISE14.10
CreateanElasticLoadBalancer(ELB)1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. CreateanELBwithaloadbalancernameofCh14-WebServer-ELB.CreatetheELBintheAmazonVPCfromExercise14.1withalistenerconfigurationofthefollowing:
LoadBalancerProtocol:HTTP
LoadBalancerPort:80
InstanceProtocol:HTTP
InstancePort:80
4. AddthepublicsubnetscreatedinExercise14.4.
5. AssigntheexistingsecuritygroupofCh14-ELB-SGcreatedinExercise14.8.
6. ConfigurethehealthcheckwithapingprotocolofHTTP,apingportof80,andapingpathof/index.html.
7. AddatagwithakeyofNameandvalueofCh14-WebServer-ELB.
8. UpdatetheELBportconfigurationtoenableload-balancergeneratedcookiestickinesswithanexpirationperiodof30seconds.
EXERCISE14.11
CreateaWebServerAutoScalingGroup1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. CreatealaunchconfigurationforthewebserverAutoScalinggroupwiththefollowingcharacteristics:
AMI:latestAmazonLinuxAMI
InstanceType:t2.small
Name:Ch14-WebServer-LC
Userdata:
#!/bin/bash
yumupdate–y
yuminstall-yphp
yuminstall-yphp-mysql
yuminstall-ymysql
yuminstall-yhttpd
echo"<html><body><h1>poweredbyAWS</h1></body></html>">
/var/www/html/index.html
servicehttpdstart
SecurityGroup:Ch14-WebServer-SG
KeyPair:existingornewkeypairforyouraccount
4. CreateanAutoScalinggroupforthewebserversfromthelaunchconfigurationCh14-WebServer-LCwithagroupnameofCh14-WebServer-AG.CreatetheAutoScalinggroupintheAmazonVPCfromExercise14.1withthepublicsubnetscreatedinExercise14.4andagroupsizeof2.
5. AssociatetheloadbalancerCh14-WebServer-ELBcreatedinExercise14.10totheAutoScalinggroup.
6. AddanametagwithakeyofNameandvalueofCh14-WebServer-AGtotheAutoScalinggroup.
Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnoteligibleforAWSFreeTier.HostingazoneonAmazonRoute53willcostapproximately$0.50permonthperhostedzone,andadditionalchargeswillbelevieddependingonwhatroutingpolicyyouchoose.FormoreinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.
EXERCISE14.12
CreateaRoute53HostedZone1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRoute53consoleandcreateahostedzone.
3. Enteryourdomainnameandcreateyournewzonefile.
4. Inthenewzonefile,youwillseetheStartofAuthority(SOA)recordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsiteandupdatethenameserverswithyourAWSnameservers.
IftheregistrarhasamethodtochangetheTimeToLive(TTL)settingsfortheirnameservers,itisrecommendedthatyouresetthesettingsto900seconds.Thislimitsthetimeduringwhichclientrequestswilltrytoresolvedomainnamesusingobsoletenameservers.YouwillneedtowaitforthedurationofthepreviousTTLforresolversandclientstostopcachingtheDNSrecordswiththeirpreviousvalues.
5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.
EXERCISE14.13
CreateanAliasARecord1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRoute53console.
3. SelectyourRoute53hostedzonecreatedinExercise14.12.CreatearecordsetwithanameofwwwandatypeofA—IPv4Address.
4. CreateanaliaswithanaliastargetoftheELBCh14-WebServer-ELBcreatedinExercise14.10andleaveyourroutingpolicyassimple.
EXERCISE14.14
TestYourConfiguration1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. VerifythattheELBcreatedinExercise14.11has2of2instancesinservice.
4. Inawebbrowser,navigatetothewebfarm(www.example.com)usingtheHostedZoneArecordcreatedinExercise14.13.YoushouldseethepoweredbyAWSonthewebpage.
ReviewQuestions1. Whendesigningalooselycoupledsystem,whichAWSservicesprovideanintermediatedurablestoragelayerbetweencomponents?(Choose2answers)
A. AmazonCloudFront
B. AmazonKinesis
C. AmazonRoute53
D. AWSCloudFormation
E. AmazonSimpleQueueService(AmazonSQS)
2. Whichofthefollowingoptionswillhelpincreasetheavailabilityofawebserverfarm?(Choose2answers)
A. UseAmazonCloudFronttodelivercontenttotheenduserswithlowlatencyandhighdatatransferspeeds.
B. LaunchthewebserverinstancesacrossmultipleAvailabilityZones.
C. LeverageAutoScalingtorecoverfromfailedinstances.
D. DeploytheinstancesinanAmazonVirtualPrivateCloud(AmazonVPC).
E. AddmoreCPUandRAMtoeachinstance.
3. WhichofthefollowingAWSCloudservicesaredesignedaccordingtotheMulti-AZprinciple?(Choose2answers)
A. AmazonDynamoDB
B. AmazonElastiCache
C. ElasticLoadBalancing
D. AmazonVirtualPrivateCloud(AmazonVPC)
E. AmazonSimpleStorageService(AmazonS3)
4. Youre-commercesitewasdesignedtobestatelessandcurrentlyrunsonafleetofAmazonElasticComputeCloud(AmazonEC2)instances.Inanefforttocontrolcostandincreaseavailability,youhavearequirementtoscalethefleetbasedonCPUandnetworkutilizationtomatchthedemandcurveforyoursite.Whatservicesdoyouneedtomeetthisrequirement?(Choose2answers)
A. AmazonCloudWatch
B. AmazonDynamoDB
C. ElasticLoadBalancing
D. AutoScaling
E. AmazonSimpleStorageService(AmazonS3)
5. YourcompliancedepartmenthasmandatedanewrequirementthatalldataonAmazon
ElasticBlockStorage(AmazonEBS)volumesmustbeencrypted.WhichofthefollowingstepswouldyoufollowforyourexistingAmazonEBSvolumestocomplywiththenewrequirement?(Choose3answers)
A. MovetheexistingAmazonEBSvolumeintoanAmazonVirtualPrivateCloud(AmazonVPC).
B. CreateanewAmazonEBSvolumewithencryptionenabled.
C. ModifytheexistingAmazonEBSvolumepropertiestoenableencryption.
D. AttachanAmazonEBSvolumewithencryptionenabledtotheinstancethathoststhedata,thenmigratethedatatotheencryption-enabledAmazonEBSvolume.
E. CopythedatafromtheunencryptedAmazonEBSvolumetotheAmazonEBSvolumewithencryptionenabled.
6. WhenbuildingaDistributedDenialofService(DDoS)-resilientarchitecture,howdoesAmazonVirtualPrivateCloud(AmazonVPC)helpminimizetheattacksurfacearea?(Choose3answers)
A. ReducesthenumberofnecessaryInternetentrypoints
B. Combinesendusertrafficwithmanagementtraffic
C. ObfuscatesnecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem
D. Addsnon-criticalInternetentrypointstothearchitecture
E. ScalesthenetworktoabsorbDDoSattacks
7. Youre-commerceapplicationprovidesdailyandadhocreportingtovariousbusinessunitsoncustomerpurchases.ThisisresultinginanextremelyhighlevelofreadtraffictoyourMySQLAmazonRelationalDatabaseService(AmazonRDS)instance.Whatcanyoudotoscaleupreadtrafficwithoutimpactingyourdatabase’sperformance?
A. IncreasetheallocatedstoragefortheAmazonRDSinstance.
B. ModifytheAmazonRDSinstancetobeaMulti-AZdeployment.
C. CreateareadreplicaforanAmazonRDSinstance.
D. ChangetheAmazonRDSinstanceDBengineversion.
8. YourwebsiteishostedonafleetofwebserversthatareloadbalancedacrossmultipleAvailabilityZonesusinganElasticLoadBalancer(ELB).WhattypeofrecordsetinAmazonRoute53canbeusedtopointmyawesomeapp.comtoyourwebsite?
A. TypeAAliasresourcerecordset
B. MXrecordset
C. TXTrecordset
D. CNAMErecordset
9. YouneedasecurewaytodistributeyourAWScredentialstoanapplicationrunningonAmazonElasticComputeCloud(AmazonEC2)instancesinordertoaccess
supplementaryAWSCloudservices.Whatapproachprovidesyourapplicationaccesstouseshort-termcredentialsforsigningrequestswhileprotectingthosecredentialsfromotherusers?
A. AddyourcredentialstotheUserDataparameterofeachAmazonEC2instance.
B. UseaconfigurationfiletostoreyouraccessandsecretkeysontheAmazonEC2instances.
C. Specifyyouraccessandsecretkeysdirectlyinyourapplication.
D. ProvisiontheAmazonEC2instanceswithaninstanceprofilethathastheappropriateprivileges.
10. YouarerunningasuiteofmicroservicesonAWSLambdathatprovidethebusinesslogicandaccesstodatastoredinAmazonDynamoDBforyourtaskmanagementsystem.Youneedtocreatewell-definedRESTfulApplicationProgramInterfaces(APIs)forthesemicroservicesthatwillscalewithtraffictosupportanewmobileapplication.WhatAWSCloudservicecanyouusetocreatethenecessaryRESTfulAPIs?
A. AmazonKinesis
B. AmazonAPIGateway
C. AmazonCognito
D. AmazonElasticComputeCloud(AmazonEC2)ContainerRegistry
11. YourWordPresswebsiteishostedonafleetofAmazonElasticComputeCloud(AmazonEC2)instancesthatleverageAutoScalingtoprovidehighavailability.ToensurethatthecontentoftheWordPresssiteissustainedthroughscaleupandscaledownevents,youneedacommonfilesystemthatissharedbetweenmorethanoneAmazonEC2instance.WhichAWSCloudservicecanmeetthisrequirement?
A. AmazonCloudFront
B. AmazonElastiCache
C. AmazonElasticFileSystem(AmazonEFS)
D. AmazonElasticBeanstalk
12. YouarechangingyourapplicationtomovesessionstateinformationofftheindividualAmazonElasticComputeCloud(AmazonEC2)instancestotakeadvantageoftheelasticityandcostbenefitsprovidedbyAutoScaling.WhichofthefollowingAWSCloudservicesisbestsuitedasanalternativeforstoringsessionstateinformation?
A. AmazonDynamoDB
B. AmazonRedshift
C. AmazonStorageGateway
D. AmazonKinesis
13. Amediasharingapplicationisproducingaveryhighvolumeofdatainaveryshortperiodoftime.Yourback-endservicesareunabletomanagethelargevolumeoftransactions.Whatoptionprovidesawaytomanagetheflowoftransactionstoyour
back-endservices?
A. StoretheinboundtransactionsinanAmazonRelationalDatabaseService(AmazonRDS)instancesothatyourback-endservicescanretrievethemastimepermits.
B. UseanAmazonSimpleQueueService(AmazonSQS)queuetobuffertheinboundtransactions.
C. UseanAmazonSimpleNotificationService(AmazonSNS)topictobuffertheinboundtransactions.
D. StoretheinboundtransactionsinanAmazonElasticMapReduce(AmazonEMR)clustersothatyourback-endservicescanretrievethemastimepermits.
14. WhichofthefollowingarebestpracticesformanagingAWSIdentityandAccessManagement(IAM)useraccesskeys?(Choose3answers)
A. Embedaccesskeysdirectlyintoapplicationcode.
B. Usedifferentaccesskeysfordifferentapplications.
C. Rotateaccesskeysperiodically.
D. Keepunusedaccesskeysforanindefiniteperiodoftime.
E. ConfigureMulti-FactorAuthentication(MFA)foryourmostsensitiveoperations.
15. YouneedtoimplementaservicetoscanApplicationProgramInterface(API)callsandrelatedevents’historytoyourAWSaccount.Thisservicewilldetectthingslikeunusedpermissions,overuseofprivilegedaccounts,andanomalouslogins.WhichofthefollowingAWSCloudservicescanbeleveragedtoimplementthisservice?(Choose3answers)
A. AWSCloudTrail
B. AmazonSimpleStorageService(AmazonS3)
C. AmazonRoute53
D. AutoScaling
E. AWSLambda
16. Governmentregulationsrequirethatyourcompanymaintainallcorrespondenceforaperiodofsevenyearsforcompliancereasons.Whatisthebeststoragemechanismtokeepthisdatasecureinacost-effectivemanner?
A. AmazonS3
B. AmazonGlacier
C. AmazonEBS
D. AmazonEFS
17. YourcompanyprovidesmediacontentviatheInternettocustomersthroughapaidsubscriptionmodel.YouleverageAmazonCloudFronttodistributecontenttoyourcustomerswithlowlatency.Whatapproachcanyouusetoservethisprivatecontentsecurelytoyourpaidsubscribers?
A. ProvidesignedAmazonCloudFrontURLstoauthenticateduserstoaccessthepaidcontent.
B. UseHTTPSrequeststoensurethatyourobjectsareencryptedwhenAmazonCloudFrontservesthemtoviewers.
C. ConfigureAmazonCloudFronttocompressthemediafilesautomaticallyforpaidsubscribers.
D. UsetheAmazonCloudFrontgeorestrictionfeaturetorestrictaccesstoallofthepaidsubscriptionmediaatthecountrylevel.
18. Yourcompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Whichserviceprovidesthebestoptionforstoringthevideos?
A. AmazonGlacier
B. AmazonSimpleStorageService(AmazonS3)
C. AmazonRelationalDatabaseService(AmazonRDS)
D. AWSStorageGateway
19. AweekbeforeCyberMondaylastyear,yourcorporatedatacenterexperiencedafailedairconditioningunitthatcausedfloodingintotheserverracks.Theresultingoutagecostyourcompanysignificantrevenue.YourCIOmandatedamovetothecloud,butheisstillconcernedaboutcatastrophicfailuresinadatacenter.Whatcanyoudotoalleviatehisconcerns?
A. DistributethearchitectureacrossmultipleAvailabilityZones.
B. UseanAmazonVirtualPrivateCloud(AmazonVPC)withsubnets.
C. Launchthecomputefortheprocessingservicesinaplacementgroup.
D. PurchaseReservedInstancesfortheprocessingservicesinstances.
20. YourAmazonVirtualPrivateCloud(AmazonVPC)includesmultipleprivatesubnets.Theinstancesintheseprivatesubnetsmustaccessthird-partypaymentApplicationProgramInterfaces(APIs)overtheInternet.WhichoptionwillprovidehighlyavailableInternetaccesstotheinstancesintheprivatesubnets?
A. CreateanAWSStorageGatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheAWSStorageGatewayinthesameAvailabilityZone.
B. CreateacustomergatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethecustomergatewayinthesameAvailabilityZone.
C. CreateaNetworkAddressTranslation(NAT)gatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
D. CreateaNATgatewayinoneAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethatNATgatewayinalltheAvailabilityZones.
AppendixAAnswerstoReviewQuestions
Chapter1:IntroductiontoAWS1. D.AregionisanamedsetofAWSresourcesinthesamegeographicalarea.AregioncomprisesatleasttwoAvailabilityZones.Endpoint,Collection,andFleetdonotdescribeaphysicallocationaroundtheworldwhereAWSclustersdatacenters.
2. A.AnAvailabilityZoneisadistinctlocationwithinaregionthatisinsulatedfromfailuresinotherAvailabilityZonesandprovidesinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.Replicationareas,geographicdistricts,andcomputecentersarenottermsusedtodescribeAWSdatacenterlocations.
3. B.Ahybriddeploymentisawaytoconnectinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.Anall-indeploymentreferstoanenvironmentthatexclusivelyrunsinthecloud.Anon-premisesdeploymentreferstoanenvironmentthatrunsexclusivelyinanorganization’sdatacenter.
4. C.AmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsorganizationsrunonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.AWSIAM,AmazonSNS,andAWSCloudFormationdonotprovidevisibilityintoresourceutilization,applicationperformance,andtheoperationalhealthofyourAWSresources.
5. B.AmazonDynamoDBisafullymanaged,fast,andflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.AmazonSQS,AmazonElastiCache,andAmazonRDSdonotprovideaNoSQLdatabaseservice.AmazonSQSisamanagedmessagequeuingservice.AmazonElastiCacheisaservicethatprovidesin-memorycacheinthecloud.Finally,AmazonRDSprovidesmanagedrelationaldatabases.
6. A.AutoScalinghelpsmaintainapplicationavailabilityandallowsorganizationstoscaleAmazonElasticComputeCloud(AmazonEC2)capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload.NotonlycanitbeusedtohelpensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.AmazonGlacier,AmazonSNS,andAmazonVPCdonotprovideservicestoscalecomputecapacityautomatically.
7. D.AmazonCloudFrontisawebservicethatprovidesaCDNtospeedupdistributionofyourstaticanddynamicwebcontent—forexample,.html,.css,.php,image,andmediafiles—toendusers.AmazonCloudFrontdeliverscontentthroughaworldwidenetworkofedgelocations.AmazonEC2,AmazonRoute53,andAWSStorageGatewaydonotprovideCDNservicesthatarerequiredtomeettheneedsforthephotosharingservice.
8. A.AmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instancesontheAWSCloud.AmazonDynamoDB,AmazonGlacier,andAWSCloudFormationdonotprovidepersistentblock-levelstorageforAmazonEC2instances.AmazonDynamoDBprovidesmanagedNoSQLdatabases.AmazonGlacierprovideslow-costarchivalstorage.AWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.
9. C.AmazonVPCletsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.AmazonSWF,AmazonRoute53,andAWSCloudFormationdonotprovideavirtualnetwork.AmazonSWFhelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonRoute53providesahighlyavailableandscalablecloudDomainNameSystem(DNS)webservice.AmazonCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.
10. B.AmazonSQSisafast,reliable,scalable,fullymanagedmessagequeuingservicethatallowsorganizationstodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.AWSCloudTrailrecordsAWSAPIcalls,andAmazonRedshiftisadatawarehouse,neitherofwhichwouldbeusefulasanarchitecturecomponentfordecouplingcomponents.AmazonSNSprovidesamessagingbuscomplementtoAmazonSQS;however,itdoesn’tprovidethedecouplingofcomponentsnecessaryforthisscenario.
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage1. D,E.Objectsarestoredinbuckets,andobjectscontainbothdataandmetadata.
2. B,D.AmazonS3cannotbemountedtoanAmazonEC2instancelikeafilesystemandshouldnotserveasprimarydatabasestorage.
3. A,B,D.CandEareincorrect—objectsareprivatebydefault,andstorageinabucketdoesnotneedtobepre-allocated.
4. B,C,E.Staticwebsitehostingdoesnotrestrictdataaccess,andneitherdoesanAmazonS3lifecyclepolicy.
5. C,E.Versioningprotectsdataagainstinadvertentorintentionaldeletionbystoringallversionsoftheobject,andMFADeleterequiresaone-timecodefromaMulti-FactorAuthentication(MFA)devicetodeleteobjects.Cross-regionreplicationandmigrationtotheAmazonGlacierstorageclassdonotprotectagainstdeletion.VaultlocksareafeatureofAmazonGlacier,notafeatureofAmazonS3.
6. C.MigratingthedatatoAmazonS3Standard-IAafter30daysusingalifecyclepolicyiscorrect.AmazonS3RRSshouldonlybeusedforeasilyreplicateddata,notcriticaldata.MigrationtoAmazonGlaciermightminimizestoragecostsifretrievalsareinfrequent,butdocumentswouldnotbeavailableinminuteswhenneeded.
7. B.Dataisautomaticallyreplicatedwithinaregion.Replicationtootherregionsandversioningareoptional.AmazonS3dataisnotbackeduptotape.
8. C.InaURL,thebucketnameprecedesthestring“s3.amazonaws.com/,”andtheobjectkeyiseverythingafterthat.ThereisnofolderstructureinAmazonS3.
9. C.AmazonS3serveraccesslogsstorearecordofwhatrequestoraccessedtheobjectsinyourbucket,includingtherequestingIPaddress.
10. B,C.Cross-regionreplicationcanhelplowerlatencyandsatisfycompliancerequirementsondistance.AmazonS3isdesignedforelevenninesdurabilityforobjectsinasingleregion,soasecondregiondoesnotsignificantlyincreasedurability.Cross-regionreplicationdoesnotprotectagainstaccidentaldeletion.
11. C.IfdatamustbeencryptedbeforebeingsenttoAmazonS3,client-sideencryptionmustbeused.
12. B.AmazonS3scalesautomatically,butforrequestratesover100GETSpersecond,ithelpstomakesurethereissomerandomnessinthekeyspace.Replicationandloggingwillnotaffectperformanceorscalability.Usingsequentialkeynamescouldhaveanegativeeffectonperformanceorscalability.
13. A,D.Youmustenableversioningbeforeyoucanenablecross-regionreplication,andAmazonS3musthaveIAMpermissionstoperformthereplication.Lifecyclerulesmigratedatafromonestorageclasstoanother,notfromonebuckettoanother.Staticwebsitehostingisnotaprerequisiteforreplication.
14. B.AmazonS3isthemostcosteffectivestorageonAWS,andlifecyclepoliciesarea
simpleandeffectivefeaturetoaddressthebusinessrequirements.
15. B,C,E.AmazonS3bucketpoliciescannotspecifyacompanynameoracountryororigin,buttheycanspecifyrequestIPrange,AWSaccount,andaprefixforobjectsthatcanbeaccessed.
16. B,C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).
17. A,B,D.A,B,andDarerequired,andnormallyyoualsosetafriendlyCNAMEtothebucketURL.AmazonS3doesnotsupportFTPtransfers,andHTTPdoesnotneedtobeenabled.
18. B.Pre-signedURLsallowyoutogranttime-limitedpermissiontodownloadobjectsfromanAmazonSimpleStorageService(AmazonS3)bucket.Staticwebhostinggenerallyrequiresworld-readaccesstoallcontent.AWSIAMpoliciesdonotknowwhotheauthenticatedusersofthewebappare.Loggingcanhelptrackcontentloss,butnotpreventit.
19. A,C.AmazonGlacierisoptimizedforlong-termarchivalstorageandisnotsuitedtodatathatneedsimmediateaccessorshort-liveddatathatiserasedwithin90days.
20. C,D,E.AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Archivesareidentifiedbysystem-createdarchiveIDs,notkeynames.
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)1. C.ReservedInstancesprovidecostsavingswhenyoucancommittorunninginstancesfulltime,suchastohandlethebasetraffic.On-DemandInstancesprovidetheflexibilitytohandletrafficspikes,suchasonthelastdayofthemonth.
2. B.SpotInstancesareaverycost-effectivewaytoaddresstemporarycomputeneedsthatarenoturgentandaretolerantofinterruption.That’sexactlytheworkloaddescribedhere.ReservedInstancesareinappropriatefortemporaryworkloads.On-DemandInstancesaregoodfortemporaryworkloads,butdon’tofferthecostsavingsofSpotInstances.Addingmorequeuesisanon-responsiveanswerasitwouldnotaddresstheproblem.
3. C,D.TheAmazonEC2instanceIDwillbeassignedbyAWSaspartofthelaunchprocess.TheadministratorpasswordisassignedbyAWSandencryptedviathepublickey.TheinstancetypedefinesthevirtualhardwareandtheAMIdefinestheinitialsoftwarestate.Youmustspecifybothuponlaunch.
4. A,C.Youcanchangetheinstancetypeonlywithinthesameinstancetypefamily,oryoucanchangetheAvailabilityZone.Youcannotchangetheoperatingsystemnortheinstancetypefamily.
5. D.Whentherearemultiplesecuritygroupsassociatedwithaninstance,alltherulesareaggregated.
6. A,B,E.Thesearethebenefitsofenhancednetworking.
7. A,B,D.Theotheranswershavenothingtodowithnetworking.
8. C.DedicatedInstanceswillnotsharehostswithotheraccounts.
9. B,C.Instancestoresarelow-durability,high-IOPSstoragethatisincludedforfreewiththehourlycostofaninstance.
10. A,C.TherearenotapesintheAWSinfrastructure.AmazonEBSvolumespersistwhentheinstanceisstopped.ThedataisautomaticallyreplicatedwithinanAvailabilityZone.AmazonEBSvolumescanbeencrypteduponcreationandusedbyaninstanceinthesamemannerasiftheywerenotencrypted.
11. B.Thereisnodelayinprocessingwhencommencingasnapshot.
12. B.Thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.
13. A,C.BandDareincorrectbecauseaninstancestorewillnotbedurableandamagneticvolumeoffersanaverageof100IOPS.AmazonEBS-optimizedinstancesreservenetworkbandwidthontheinstanceforIO,andProvisionedIOPSSSDvolumesprovidethehighestconsistentIOPS.
14. D.Bootstrappingrunstheprovidedscript,soanythingyoucanaccomplishinascriptyoucanaccomplishduringbootstrapping.
15. C.Thepublichalfofthekeypairisstoredontheinstance,andtheprivatehalfcanthenbeusedtoconnectviaSSH.
16. B,C.ThesearethepossibleoutputsofVMImport/Export.
17. B,D.NeithertheWindowsmachinenamenortheAmazonEC2instanceIDcanberesolvedintoanIPaddresstoaccesstheinstance.
18. A.Noneoftheotheroptionswillhaveanyeffectontheabilitytoconnect.
19. C.Ashortperiodofheavytrafficisexactlytheusecasefortheburstingnatureofgeneral-purposeSSDvolumes—therestofthedayismorethanenoughtimetobuildupenoughIOPScreditstohandlethenightlytask.Instancestoresarenotdurable,magneticvolumescannotprovideenoughIOPS,andtosetupaProvisionedIOPSSSDvolumetohandlethepeakwouldmeanspendingmoneyformoreIOPSthanyouneed.
20. B.ThereisaverysmallhourlychargeforallocatedelasticIPaddressesthatarenotassociatedwithaninstance.
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)1. C.TheminimumsizesubnetthatyoucanhaveinanAmazonVPCis/28.
2. C.Youneedtwopublicsubnets(oneforeachAvailabilityZone)andtwoprivatesubnets(oneforeachAvailabilityZone).Therefore,youneedfoursubnets.
3. A.NetworkACLsareassociatedtoaVPCsubnettocontroltrafficflow.
4. A.ThemaximumsizesubnetthatyoucanhaveinaVPCis/16.
5. D.BycreatingarouteouttotheInternetusinganIGW,youhavemadethissubnetpublic.
6. A.WhenyoucreateanAmazonVPC,aroutetableiscreatedbydefault.YoumustmanuallycreatesubnetsandanIGW.
7. C.WhenyouprovisionanAmazonVPC,allsubnetscancommunicatewitheachotherbydefault.
8. A.YoumayonlyhaveoneIGWforeachAmazonVPC.
9. B.Securitygroupsarestateful,whereasnetworkACLsarestateless.
10. C.Youshoulddisablesource/destinationchecksontheNAT.
11. B,E.IntheEC2-Classicnetwork,theEIPwillbedisassociatedwiththeinstance;intheEC2-VPCnetwork,theEIPremainsassociatedwiththeinstance.Regardlessoftheunderlyingnetwork,astop/startofanAmazonEBS-backedAmazonEC2instancealwayschangesthehostcomputer.
12. D.SixVPCPeeringconnectionsareneededforeachofthefourVPCstosendtraffictotheother.
13. B.ADHCPoptionsetallowscustomerstodefineDNSserversforDNSnameresolution,establishdomainnamesforinstanceswithinanAmazonVPC,defineNTPservers,anddefinetheNetBIOSnameservers.
14. D.ACGWisthecustomersideofaVPNconnection,andanIGWconnectsanetworktotheInternet.AVPGistheAmazonsideofaVPNconnection.
15. A.ThedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregionis5.
16. B.NetworkACLrulescandenytraffic.
17. D.IPsecisthesecurityprotocolsupportedbyAmazonVPC.
18. D.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATdevice,VPNconnection,orAWSDirectConnect.
19. A,C.TheCIDRblockisspecifieduponcreationandcannotbechanged.AnAmazonVPCisassociatedwithexactlyoneregionwhichmustbespecifieduponcreation.YoucanaddasubnettoanAmazonVPCanytimeafterithasbeencreated,provideditsaddressrangefallswithintheAmazonVPCCIDRblockanddoesnotoverlapwiththeaddressrangeof
anyexistingCIDRblock.YoucansetuppeeringrelationshipsbetweenAmazonVPCsaftertheyhavebeencreated.
20. B.AttachinganENIassociatedwithadifferentsubnettoaninstancecanmaketheinstancedual-homed.
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling1. A,D.AnAutoScalinggroupmusthaveaminimumsizeandalaunchconfigurationdefinedinordertobecreated.Healthchecksandadesiredcapacityareoptional.
2. B.Theloadbalancermaintainstwoseparateconnections:oneconnectionwiththeclientandoneconnectionwiththeAmazonEC2instance.
3. D.AmazonCloudWatchmetricdataiskeptfor2weeks.
4. A.Onlythelaunchconfigurationname,AMI,andinstancetypeareneededtocreateanAutoScalinglaunchconfiguration.Identifyingakeypair,securitygroup,andablockdevicemappingareoptionalelementsforanAutoScalinglaunchconfiguration.
5. B.YoucanusetheAmazonCloudWatchLogsAgentinstalleronexistingAmazonEC2instancestoinstallandconfiguretheCloudWatchLogsAgent.
6. C.Youconfigureyourloadbalancertoacceptincomingtrafficbyspecifyingoneormorelisteners.
7. D.ThedefaultAmazonEC2instancelimitforallregionsis20.
8. A.AnSSLcertificatemustspecifythenameofthewebsiteineitherthesubjectnameorlistedasavalueintheSANextensionofthecertificateinorderforconnectingclientstonotreceiveawarning.
9. C.WhenAmazonEC2instancesfailtherequisitenumberofconsecutivehealthchecks,theloadbalancerstopssendingtraffictotheAmazonEC2instance.
10. D.AmazonCloudWatchmetricsprovidehypervisorvisiblemetrics.
11. C.AutoScalingisdesignedtoscaleoutbasedonaneventlikeincreasedtrafficwhilebeingcosteffectivewhennotneeded.
12. B.AutoScalingwillprovidehighavailabilityacrossthreeAvailabilityZoneswiththreeAmazonEC2instancesineachandkeepcapacityabovetherequiredminimumcapacity,evenintheeventofanentireAvailabilityZonebecomingunavailable.
13. B,E,F.AutoScalingrespondstochangingconditionsbyaddingorterminatinginstances,launchesinstancesfromanAMIspecifiedinthelaunchconfigurationassociatedwiththeAutoScalinggroup,andenforcesaminimumnumberofinstancesinthemin-sizeparameteroftheAutoScalinggroup.
14. D.A,B,andCarealltruestatementsaboutlaunchconfigurationsbeinglooselycoupledandreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup.
15. A,C.AnAutoScalinggroupmayuseOn-DemandandSpotInstances.AnAutoScalinggroupmaynotusealreadystoppedinstances,instancesrunningsomeplaceotherthanAWS,andalreadyrunninginstancesnotstartedbytheAutoScalinggroupitself.
16. A,F.AmazonCloudWatchhastwoplans:basic,whichisfree,anddetailed,whichhasanadditionalcost.ThereisnoadhocplanforAmazonCloudWatch.
17. A,C,D.AnElasticLoadBalancinghealthcheckmaybeaping,aconnectionattempt,orapagethatischecked.
18. B,C.Whenconnectiondrainingisenabled,theloadbalancerwillstopsendingrequeststoaderegisteredorunhealthyinstanceandattempttocompletein-flightrequestsuntilaconnectiondrainingtimeoutperiodisreached,whichis300secondsbydefault.
19. B,E,F.ElasticLoadBalancingsupportsInternet-facing,internal,andHTTPSloadbalancers.
20. B,D,E.AutoScalingsupportsmaintainingthecurrentsizeofanAutoScalinggroupusingfourplans:maintaincurrentlevels,manualscaling,scheduledscaling,anddynamicscaling.
Chapter6:AWSIdentityandAccessManagement(IAM)1. B,C.Programmaticaccessisauthenticatedwithanaccesskey,notwithusernames/passwords.IAMrolesprovideatemporarysecuritytokentoanapplicationusinganSDK.
2. A,C.IAMpoliciesareindependentofregion,sonoregionisspecifiedinthepolicy.IAMpoliciesareaboutauthorizationforanalready-authenticatedprincipal,sonopasswordisneeded.
3. A,B,C,E.Lockingdownyourrootuserandallaccountstowhichtheadministratorhadaccessisthekeyhere.DeletingallIAMaccountsisnotnecessary,anditwouldcausegreatdisruptiontoyouroperations.AmazonEC2rolesusetemporarysecuritytokens,sorelaunchingAmazonEC2instancesisnotnecessary.
4. B,D.IAMcontrolsaccesstoAWSresourcesonly.InstallingASP.NETwillrequireWindowsoperatingsystemauthorization,andqueryinganOracledatabasewillrequireOracleauthorization.
5. A,C.AmazonDynamoDBglobalsecondaryindexesareaperformancefeatureofAmazonDynamoDB;ConsolidatedBillingisanaccountingfeatureallowingallbillstorollupunderasingleaccount.Whilebothareveryvaluablefeatures,neitherisasecurityfeature.
6. B,C.AmazonEC2rolesmuststillbeassignedapolicy.IntegrationwithActiveDirectoryinvolvesintegrationbetweenActiveDirectoryandIAMviaSAML.
7. A,D.AmazonEC2rolesprovideatemporarytokentoapplicationsrunningontheinstance;federationmapspoliciestoidentitiesfromothersourcesviatemporarytokens.
8. A,C,D.NeitherBnorEarefeaturessupportedbyIAM.
9. B,C.Accessrequiresanappropriatepolicyassociatedwithaprincipal.ResponseAismerelyapolicywithnoprincipal,andresponseDisnotaprincipalasIAMgroupsdonothaveusernamesandpasswords.ResponseBisthebestsolution;responseCwillalsoworkbutitismuchhardertomanage.
10. C.AnIAMpolicyisaJSONdocument.
Chapter7:DatabasesandAWS1. B.AmazonRDSisbestsuitedfortraditionalOLTPtransactions.AmazonRedshift,ontheotherhand,isdesignedforOLAPworkloads.AmazonGlacierisdesignedforcoldarchivalstorage.
2. D.AmazonDynamoDBisbestsuitedfornon-relationaldatabases.AmazonRDSandAmazonRedshiftarebothstructuredrelationaldatabases.
3. C.Inthisscenario,thebestideaistousereadreplicastoscaleoutthedatabaseandthusmaximizereadperformance.WhenusingMulti-AZ,thesecondarydatabaseisnotaccessibleandallreadsandwritesmustgototheprimaryoranyreadreplicas.
4. A.AmazonRedshiftisbestsuitedfortraditionalOLAPtransactions.WhileAmazonRDScanalsobeusedforOLAP,AmazonRedshiftispurpose-builtasanOLAPdatawarehouse.
5. B.DBSnapshotscanbeusedtorestoreacompletecopyofthedatabaseataspecificpointintime.Individualtablescannotbeextractedfromasnapshot.
6. A.AllAmazonRDSdatabaseenginessupportMulti-AZdeployment.
7. B.ReadreplicasaresupportedbyMySQL,MariaDB,PostgreSQL,andAurora.
8. A.YoucanforceafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceintheAWSManagementConsole.Thisisoftenhowpeopletestafailoverintherealworld.Thereisnoneedtocreateasupportcase.
9. D.MonitortheenvironmentwhileAmazonRDSattemptstorecoverautomatically.AWSwillupdatetheDBendpointtopointtothesecondaryinstanceautomatically.
10. A.AmazonRDSsupportsMicrosoftSQLServerEnterpriseeditionandthelicenseisavailableonlyundertheBYOLmodel.
11. B.GeneralPurpose(SSD)volumesaregenerallytherightchoicefordatabasesthathaveburstsofactivity.
12. B.NoSQLdatabaseslikeAmazonDynamoDBexcelatscalingtohundredsofthousandsofrequestswithkey/valueaccesstouserprofileandsession.
13. A,C,D.DBsnapshotsallowyoutobackupandrecoveryourdata,whilereadreplicasandaMulti-AZdeploymentallowyoutoreplicateyourdataandreducethetimetofailover.
14. C,D.AmazonRDSallowsforthecreationofoneormoreread-replicasformanyenginesthatcanbeusedtohandlereads.AnothercommonpatternistocreateacacheusingMemcachedandAmazonElastiCachetostorefrequentlyusedqueries.ThesecondaryslaveDBInstanceisnotaccessibleandcannotbeusedtooffloadqueries.
15. A,B,C.Protectingyourdatabaserequiresamultilayeredapproachthatsecurestheinfrastructure,thenetwork,andthedatabaseitself.AmazonRDSisamanagedserviceanddirectaccesstotheOSisnotavailable.
16. A,B,C.Verticallyscalingupisoneofthesimpleroptionsthatcangiveyouadditionalprocessingpowerwithoutmakinganyarchitecturalchanges.Readreplicasrequiresome
applicationchangesbutletyouscaleprocessingpowerhorizontally.Finally,busydatabasesareoftenI/O-bound,soupgradingstoragetoGeneralPurpose(SSD)orProvisionedIOPS(SSD)canoftenallowforadditionalrequestprocessing.
17. C.Queryisthemostefficientoperationtofindasingleiteminalargetable.
18. A.UsingtheUsernameasapartitionkeywillevenlyspreadyourusersacrossthepartitions.Messagesareoftenfiltereddownbytimerange,soTimestampmakessenseasasortkey.
19. B,D.Youcanonlyhaveasinglelocalsecondaryindex,anditmustbecreatedatthesametimethetableiscreated.Youcancreatemanyglobalsecondaryindexesafterthetablehasbeencreated.
20. B,C.AmazonRedshiftisanOnlineAnalyticalProcessing(OLAP)datawarehousedesignedforanalytics,Extract,Transform,Load(ETL),andhigh-speedquerying.Itisnotwellsuitedforrunningtransactionalapplicationsthatrequirehighvolumesofsmallinsertsorupdates.
Chapter8:SQS,SWF,andSNS1. D.AmazonDynamoDBisnotasupportedAmazonSNSprotocol.
2. A.WhenyoucreateanewAmazonSNStopic,anAmazonARNiscreatedautomatically.
3. A,C,D.Publishers,subscribers,andtopicsarethecorrectanswers.YouhavesubscriberstoanAmazonSNStopic,notreaders.
4. A.ThedefaulttimeforanAmazonSQSvisibilitytimeoutis30seconds.
5. D.ThemaximumtimeforanAmazonSQSvisibilitytimeoutis12hours.
6. B,D.ThevalidpropertiesofanSQSmessageareMessageIDandBody.Eachmessagereceivesasystem-assignedMessageIDthatAmazonSQSreturnstoyouintheSendMessageresponse.TheMessageBodyiscomposedofname/valuepairsandtheunstructured,uninterpretedcontent.
7. B.Useasingledomainwithmultipleworkflows.Workflowswithinseparatedomainscannotinteract.
8. A,B,C.InAmazonSWF,actorscanbeactivityworkers,workflowstarters,ordeciders.
9. B.AmazonSWFwouldbestserveyourpurposeinthisscenariobecauseithelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.YoucanthinkofAmazonSWFasafully-managedstatetrackerandtaskcoordinatorintheCloud.
10. D.AmazonSQSdoesnotguaranteeinwhatorderyourmessageswillbedelivered.
11. A.MultiplequeuescansubscribetoanAmazonSNStopic,whichcanenableparallelasynchronousprocessing.
12. D.Longpollingallowsyourapplicationtopollthequeue,and,ifnothingisthere,AmazonElasticComputeCloud(AmazonEC2)waitsforanamountoftimeyouspecify(between1and20seconds).Ifamessagearrivesinthattime,itisdeliveredtoyourapplicationassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.
13. B.ThemaximumtimeforanAmazonSQSlongpollingtimeoutis20seconds.
14. D.ThelongestconfigurablemessageretentionperiodforAmazonSQSis14days.
15. B.ThedefaultmessageretentionperiodthatcanbesetinAmazonSQSisfourdays.
16. D.WithAmazonSNS,yousendindividualormultiplemessagestolargenumbersofrecipientsusingpublisherandsubscriberclienttypes.
17. B.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.
18. C.Topicnamesshouldtypicallybeavailableforreuseapproximately30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.Theexacttimewilldependonthenumberofsubscriptionsactiveonthetopic;topicswithafewsubscriberswillbe
availableinstantlyforreuse,whiletopicswithlargersubscriberlistsmaytakelonger.
19. C.ThemaindifferencebetweenAmazonSQSpoliciesandIAMpoliciesisthatanAmazonSQSpolicyenablesyoutograntadifferentAWSaccountpermissiontoyourAmazonSQSqueues,butanIAMpolicydoesnot.
20. C.No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.
Chapter9:DomainNameSystem(DNS)andAmazonRoute531. C.AnAAAArecordisusedtoroutetraffictoanIPv6address,whereasanArecordisusedtoroutetraffictoanIPv4address.
2. B.Domainnamesareregisteredwithadomainregistrar,whichthenregistersthenametoInterNIC.
3. C.Youshouldrouteyourtrafficbasedonwhereyourendusersarelocated.Thebestroutingpolicytoachievethisisgeolocationrouting.
4. D.APTRrecordisusedtoresolveanIPaddresstoadomainname,anditiscommonlyreferredtoas“reverseDNS.”
5. B.Youwantyouruserstohavethefastestnetworkaccesspossible.Todothis,youwoulduselatency-basedrouting.Geolocationroutingwouldnotachievethisaswellaslatency-basedrouting,whichisspecificallygearedtowardmeasuringthelatencyandthuswoulddirectyoutotheAWSregioninwhichyouwouldhavethelowestlatency.
6. C.YouwoulduseMaileXchange(MX)recordstodefinewhichinbounddestinationmailservershouldbeused.
7. B.SPFrecordsareusedtoverifyauthorizedsendersofmailfromyourdomain.
8. B.Weightedroutingwouldbestachievethisobjectivebecauseitallowsyoutospecifywhichpercentageoftrafficisdirectedtoeachendpoint.
9. D.ThestartofazoneisdefinedbytheSOA;therefore,allzonesmusthaveanSOArecordbydefault.
10. D.Failover-basedroutingwouldbestachievethisobjective.
11. B.TheCNAMErecordmapsanametoanothername.Itshouldbeusedonlywhentherearenootherrecordsonthatname.
12. C.AmazonRoute53performsthreemainfunctions:domainregistration,DNSservice,andhealthchecking.
13. A.ATXTrecordisusedtostorearbitraryandunformattedtextwithahost.
14. C.Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.
15. B.DNSusesportnumber53toserverequests.
16. D.DNSprimarilyusesUDPtoserverequests.
17. A.TheTCPprotocolisusedbyDNSserverwhentheresponsedatasizeexceeds512bytesorfortaskssuchaszonetransfers.
18. B.UsingAmazonRoute53,youcancreatetwotypesofhostedzones:publichostedzonesandprivatehostedzones.
19. D.AmazonRoute53canroutequeriestoavarietyofAWSresourcessuchasanAmazonCloudFrontdistribution,anElasticLoadBalancingloadbalancer,anAmazonEC2instance,awebsitehostedinanAmazonS3bucket,andanAmazonRelationalDatabase(AmazonRDS).
20. D.YoumustfirsttransfertheexistingdomainregistrationfromanotherregistrartoAmazonRoute53toconfigureitasyourDNSservice.
Chapter10:AmazonElastiCache1. A,B,C.Manytypesofobjectsaregoodcandidatestocachebecausetheyhavethepotentialtobeaccessedbynumeroususersrepeatedly.Eventhebalanceofabankaccountcouldbecachedforshortperiodsoftimeiftheback-enddatabasequeryisslowtorespond.
2. B,C.AmazonElastiCachesupportsMemcachedandRediscacheengines.MySQLisnotacacheengine,andCouchbaseisnotsupported.
3. C.Thedefaultlimitis20nodespercluster.
4. A.Redisclusterscanonlycontainasinglenode;however,youcangroupmultipleclusterstogetherintoareplicationgroup.
5. B,C.AmazonElastiCacheisApplicationProgrammingInterface(API)-compatiblewithexistingMemcachedclientsanddoesnotrequiretheapplicationtoberecompiledorlinkedagainstthelibraries.AmazonElastiCachemanagesthedeploymentoftheAmazonElastiCachebinaries.
6. B,C.AmazonElastiCachewiththeRedisengineallowsforbothmanualandautomaticsnapshots.Memcacheddoesnothaveabackupfunction.
7. B,C,D.LimitaccessatthenetworklevelusingsecuritygroupsornetworkACLs,andlimitinfrastructurechangesusingIAM.
8. C.AmazonElastiCachewithRedisprovidesnativefunctionsthatsimplifythedevelopmentofleaderboards.WithMemcached,itismoredifficulttosortandranklargedatasets.AmazonRedshiftandAmazonS3arenotdesignedforhighvolumesofsmallreadsandwrites,typicalofamobilegame.
9. A.WhentheclientsareconfiguredtouseAutoDiscovery,theycandiscovernewcachenodesastheyareaddedorremoved.AutoDiscoverymustbeconfiguredoneachclientandisnotactiveserverside.Updatingtheconfigurationfileeachtimewillbeverydifficulttomanage.UsinganElasticLoadBalancerisnotrecommendedforthisscenario.
10. A,B.AmazonElastiCachesupportsbothMemcachedandRedis.Youcanrunself-managedinstallationsofMembaseandCouchbaseusingAmazonElasticComputeCloud(AmazonEC2).
Chapter11:AdditionalKeyServices1. B,C,E.AmazonCloudFrontcanuseanAmazonS3bucketoranyHTTPserver,whetherornotitisrunninginAmazonEC2.ARoute53HostedZoneisasetofDNSresourcerecords,whileanAutoScalingGrouplaunchesorterminatesAmazonEC2instancesautomatically.Neithercanbespecifiedasanoriginserverforadistribution.
2. A,C.ThesiteinAis“popular”andsupports“usersaroundtheworld,”keyindicatorsthatCloudFrontisappropriate.Similarly,thesiteinCis“heavilyused,”andrequiresprivatecontent,whichissupportedbyAmazonCloudFront.BothBandDarecorporateusecaseswheretherequestscomefromasinglegeographiclocationorappeartocomefromone(becauseoftheVPN).TheseusecaseswillgenerallynotseebenefitfromAmazonCloudFront.
3. C,E.Usingmultipleoriginsandsettingmultiplecachebehaviorsallowyoutoservestaticanddynamiccontentfromthesamedistribution.OriginAccessIdentifiersandsignedURLssupportservingprivatecontentfromAmazonCloudFront,whilemultipleedgelocationsaresimplyhowAmazonCloudFrontservesanycontent.
4. B.AmazonCloudFrontOAIisaspecialidentitythatcanbeusedtorestrictaccesstoanAmazonS3bucketonlytoanAmazonCloudFrontdistribution.SignedURLs,signedcookies,andIAMbucketpoliciescanhelptoprotectcontentservedthroughAmazonCloudFront,butOAIsarethesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstoabucket.
5. C.AWSStorageGatewayallowsyoutoaccessdatainAmazonS3locally,withtheGateway-CachedvolumeconfigurationallowingyoutoexpandarelativelysmallamountoflocalstorageintoAmazonS3.
6. B.SimpleADisaMicrosoftActiveDirectory-compatibledirectorythatispoweredbySamba4.SimpleADsupportscommonlyusedActiveDirectoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonElasticComputeCloud(AmazonEC2)instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.
7. C.AWSKMSCMKsarethefundamentalresourcesthatAWSKMSmanages.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscan.
8. D.AWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCustomerMasterKey(CMK),andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.
9. A.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSCloudservice.
10. B,C.Encryptioncontextisasetofkey/valuepairsthatyoucanpasstoAWSKMSwhenyoucalltheEncrypt,Decrypt,ReEncrypt,GenerateDataKey,and
GenerateDataKeyWithoutPlaintextAPIs.Althoughtheencryptioncontextisnotincludedintheciphertext,itiscryptographicallyboundtotheciphertextduringencryptionandmustbepassedagainwhenyoucalltheDecrypt(orReEncrypt)API.InvalidciphertextfordecryptionisplaintextthathasbeenencryptedinadifferentAWSaccountorciphertextthathasbeenalteredsinceitwasoriginallyencrypted.
11. B.BecausetheInternetconnectionisfull,thebestsolutionwillbebasedonusingAWSImport/Exporttoshipthedata.Themostappropriatestoragelocationfordatathatmustbestored,butisveryrarelyaccessed,isAmazonGlacier.
12. C.Becausethejobisrunmonthly,apersistentclusterwillincurunnecessarycomputecostsduringtherestofthemonth.AmazonKinesisisnotappropriatebecausethecompanyisrunninganalyticsasabatchjobandnotonastream.Asinglelargeinstancedoesnotscaleouttoaccommodatethelargecomputeneeds.
13. D.TheAmazonKinesisservicesenableyoutoworkwithlargedatastreams.WithintheAmazonKinesisfamilyofservices,AmazonKinesisFirehosesavesstreamstoAWSstorageservices,whileAmazonKinesisStreamsprovidetheabilitytoprocessthedatainthestream.
14. C.AmazonDataPipelineallowsyoutorunregularExtract,Transform,Load(ETL)jobsonAmazonandon-premisesdatasources.ThebeststorageforlargedataisAmazonS3,andAmazonRedshiftisalarge-scaledatawarehouseservice.
15. B.AmazonKinesisFirehoseallowsyoutoingestmassivestreamsofdataandstorethedataonAmazonS3(aswellasAmazonRedshiftandAmazonElasticsearch).
16. C.AWSOpsWorksusesChefrecipestostartnewappserverinstances,configureapplicationserversoftware,anddeployapplications.OrganizationscanleverageChefrecipestoautomateoperationslikesoftwareconfigurations,packageinstallations,databasesetups,serverscaling,andcodedeployment.
17. A.WithAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonceandthenprovisionthesameresourcesoverandoverinmultiplestacks.
18. B.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.AWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservinghundredsofthousandsofAWScustomers.
19. A.AWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing.
20. D.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
Chapter12:SecurityonAWS1. B.Alldecommissionedmagneticstoragedevicesaredegaussedandphysicallydestroyedinaccordancewithindustry-standardpractices.
2. C.Theadministratorpasswordisencryptedwiththepublickeyofthekeypair,andyouprovidetheprivatekeytodecryptthepassword.Thenlogintotheinstanceastheadministratorwiththedecryptedpassword.
3. C.Bydefault,networkaccessisturnedofftoaDBInstance.YoucanspecifyrulesinasecuritygroupthatallowsaccessfromanIPaddressrange,port,orAmazonElasticComputeCloud(AmazonEC2)securitygroup.
4. A.AmazonS3SSEusesoneofthestrongestblockciphersavailable,256-bitAES.
5. C.IAMpermitsuserstohavenomorethantwoactiveaccesskeysatonetime.
6. B.ThesharedresponsibilitymodelisthenameofthemodelemployedbyAWSwithitscustomers.
7. D.WhenyouchooseAWSKMSforkeymanagementwithAmazonRedshift,thereisafour-tierhierarchyofencryptionkeys.Thesekeysarethemasterkey,aclusterkey,adatabasekey,anddataencryptionkeys.
8. D.ElasticLoadBalancingsupportstheServerOrderPreferenceoptionfornegotiatingconnectionsbetweenaclientandaloadbalancer.DuringtheSSLconnectionnegotiationprocess,theclientandtheloadbalancerpresentalistofciphersandprotocolsthattheyeachsupport,inorderofpreference.Bydefault,thefirstcipherontheclient’slistthatmatchesanyoneoftheloadbalancer’sciphersisselectedfortheSSLconnection.IftheloadbalancerisconfiguredtosupportServerOrderPreference,thentheloadbalancerselectsthefirstcipherinitslistthatisintheclient’slistofciphers.ThisensuresthattheloadbalancerdetermineswhichcipherisusedforSSLconnection.IfyoudonotenableServerOrderPreference,theorderofcipherspresentedbytheclientisusedtonegotiateconnectionsbetweentheclientandtheloadbalancer.
9. C.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.
10. C.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
11. A.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.
12. B,D.AmazonDynamoDBdoesnothaveaserver-sidefeaturetoencryptitemswithinatable.YouneedtouseasolutionoutsideofDynamoDBsuchasaclient-sidelibrarytoencryptitemsbeforestoringthem,orakeymanagementservicelikeAWSKeyManagementServicetomanagekeysthatareusedtoencryptitemsbeforestoringtheminDynamoDB.
13. B.Ifyourprivatekeycanbereadorwrittentobyanyonebutyou,thenSSHignoresyourkey.
14. D.AmazonCognitoIdentitysupportspublicidentityproviders—Amazon,Facebook,andGoogle—aswellasunauthenticatedidentities.
15. A.AninstanceprofileisacontainerforanIAMrolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.
16. B.AnetworkACLisanoptionallayerofsecurityforyourAmazonVPCthatactsasafirewallforcontrollingtrafficinandoutofoneormoresubnets.YoumightsetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddanadditionallayerofsecuritytoyourAmazonVPC.
17. D.TheSignatureVersion4signingprocessdescribeshowtoaddauthenticationinformationtoAWSrequests.Forsecurity,mostrequeststoAWSmustbesignedwithanaccesskey(AccessKeyID[AKI]andSecretAccessKey[SAK]).IfyouusetheAWSCommandLineInterface(AWSCLI)oroneoftheAWSSoftwareDevelopmentKits(SDKs),thosetoolsautomaticallysignrequestsforyoubasedoncredentialsthatyouspecifywhenyouconfigurethetools.However,ifyoumakedirectHTTPorHTTPScallstoAWS,youmustsigntherequestsyourself.
18. B.Dedicatedinstancesarephysicallyisolatedatthehosthardwarelevelfromyourinstancesthataren’tdedicatedinstancesandfrominstancesthatbelongtootherAWSaccounts.
19. C.AmazonEMRstartsyourinstancesintwoAmazonElasticComputeCloud(AmazonEC2)securitygroups,oneforthemasterandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutosecurelyconnecttotheinstancesviaSSHusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptopreventaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupsinyouraccount,youcanreconfigurethemusingthestandardAmazonEC2toolsordashboard.
20. A.WhenyoucreateanAmazonEBSvolumeinanAvailabilityZone,itisautomaticallyreplicatedwithinthatAvailabilityZonetopreventdatalossduetofailureofanysinglehardwarecomponent.AnEBSSnapshotcreatesacopyofanEBSvolumetoAmazonS3sothatcopiesofthevolumecanresideindifferentAvailabilityZoneswithinaregion.
Chapter13:AWSRiskandCompliance1. A,B,C.AnswersAthroughCdescribevalidmechanismsthatAWSusestocommunicatewithcustomersregardingitssecurityandcontrolenvironment.AWSdoesnotallowcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,orstaff.
2. C.ThesharedresponsibilitymodelcanincludeITcontrols,anditisnotjustlimitedtosecurityconsiderations.Therefore,answerCiscorrect.
3. A.AWSprovidesITcontrolinformationtocustomersthrougheitherspecificcontroldefinitionsorgeneralcontrolstandardcompliance.
4. A,B,D.ThereisnosuchthingasaSOC4report,thereforeanswerCisincorrect.
5. A.ITgovernanceisstillthecustomer’sresponsibility.
6. D.AnynumberofcomponentsofaworkloadcanbemovedintoAWS,butitisthecustomer’sresponsibilitytoensurethattheentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.
7. B.AnAvailabilityZoneconsistsofmultiplediscretedatacenters,eachwiththeirownredundantpowerandnetworking/connectivity,thereforeanswerBiscorrect.
8. A,C.AWSregularlyscanspublic-facing,non-customerendpointIPaddressesandnotifiesappropriateparties.AWSdoesnotscancustomerinstances,andcustomersmustrequesttheabilitytoperformtheirownscansinadvance,thereforeanswersAandCarecorrect.
9. B.AWSpublishesinformationpubliclyonlineanddirectlytocustomersunderNDA,butcustomersarenotrequiredtosharetheiruseandconfigurationinformationwithAWS,thereforeanswerBiscorrect.
10. C.AWShasdevelopedastrategicbusinessplan,andcustomersshouldalsodevelopandmaintaintheirownriskmanagementplans,thereforeanswerCiscorrect.
11. B.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.Energyisnotadiscretelyidentifiedpartofthecontrolenvironment,thereforeBisthecorrectanswer.
12. D.Customersareresponsibleforensuringalloftheirsecuritygroupconfigurationsareappropriatefortheirownapplications,thereforeanswerDiscorrect.
13. C.Customersshouldensurethattheyimplementcontrolobjectivesthataredesignedtomeettheirorganization’sownuniquecompliancerequirements,thereforeanswerCiscorrect.
Chapter14:ArchitectureBestPractices1. B,E.AmazonKinesisisaplatformforstreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdata.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcost-effectivetodecouplethecomponentsofacloudapplication.
2. B,C.LaunchinginstancesacrossmultipleAvailabilityZoneshelpsensuretheapplicationisisolatedfromfailuresinasingleAvailabilityZone,allowingtheapplicationtoachievehigheravailability.WhetheryouarerunningoneAmazonEC2instanceorthousands,youcanuseAutoScalingtodetectimpairedAmazonEC2instancesandunhealthyapplicationsandreplacetheinstanceswithoutyourintervention.Thisensuresthatyourapplicationisgettingthecomputecapacitythatyouexpect,therebymaintainingyouravailability.
3. A,E.AmazonDynamoDBrunsacrossAWSproven,high-availabilitydatacenters.TheservicereplicatesdataacrossthreefacilitiesinanAWSregiontoprovidefaulttoleranceintheeventofaserverfailureorAvailabilityZoneoutage.AmazonS3providesdurableinfrastructuretostoreimportantdataandisdesignedfordurabilityof99.999999999%ofobjects.Yourdataisredundantlystoredacrossmultiplefacilitiesandmultipledevicesineachfacility.WhileElasticLoadBalancingandAmazonElastiCachecanbedeployedacrossmultipleAvailabilityZones,youmustexplicitlytakesuchstepswhencreatingthem.
4. A,D.AutoScalingenablesyoutofollowthedemandcurveforyourapplicationsclosely,reducingtheneedtoprovisionAmazonEC2capacitymanuallyinadvance.Forexample,youcansetaconditiontoaddnewAmazonEC2instancesinincrementstotheAutoScalinggroupwhentheaverageCPUandnetworkutilizationofyourAmazonEC2fleetmonitoredinAmazonCloudWatchishigh;similarly,youcansetaconditiontoremoveinstancesinthesameincrementswhenCPUandnetworkutilizationarelow.
5. B,D,E.Thereisnodirectwaytoencryptanexistingunencryptedvolume.However,youcanmigratedatabetweenencryptedandunencryptedvolumes.
6. A,C,D.TheattacksurfaceiscomposedofthedifferentInternetentrypointsthatallowaccesstoyourapplication.Thestrategytominimizetheattacksurfaceareaisto(a)reducethenumberofnecessaryInternetentrypoints,(b)eliminatenon-criticalInternetentrypoints,(c)separateendusertrafficfrommanagementtraffic,(d)obfuscatenecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem,and(e)decoupleInternetentrypointstominimizetheeffectsofattacks.ThisstrategycanbeaccomplishedwithAmazonVPC.
7. C.AmazonRDSreadreplicasprovideenhancedperformanceanddurabilityforAmazonRDSinstances.ThisreplicationfeaturemakesiteasytoscaleoutelasticallybeyondthecapacityconstraintsofasingleAmazonRDSinstanceforread-heavydatabaseworkloads.YoucancreateoneormorereplicasofagivensourceAmazonRDSinstanceandservehigh-volumeapplicationreadtrafficfrommultiplecopiesofyourdata,therebyincreasingaggregatereadthroughput.
8. A.AnaliasresourcerecordsetcanpointtoanELB.YoucannotcreateaCNAMErecord
atthetopnodeofaDomainNameService(DNS)namespace,alsoknownasthezoneapex,asthecaseinthisexample.AliasresourcerecordsetscansaveyoutimebecauseAmazonRoute53automaticallyrecognizeschangesintheresourcerecordsetstowhichthealiasresourcerecordsetrefers.
9. D.AninstanceprofileisacontainerforanAWSIdentityandAccessManagement(IAM)rolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.TheIAMroleshouldhaveapolicyattachedthatonlyallowsaccesstotheAWSCloudservicesnecessarytoperformitsfunction.
10. B.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstopublish,maintain,monitor,andsecureAPIsatanyscale.YoucancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromyourcoderunningonAWSLambda.AmazonAPIGatewayhandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
11. C.AmazonEFSisafilestorageserviceforAmazonEC2instances.MultipleAmazonEC2instancescanaccessanAmazonEFSfilesystematthesametime,providingacommondatasourceforthecontentoftheWordPresssiterunningonmorethanoneinstance.
12. A.AmazonDynamoDBisaNoSQLdatabasestorethatisagreatchoiceasanalternativeduetoitsscalability,high-availability,anddurabilitycharacteristics.Manyplatformsprovideopen-source,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.AmazonDynamoDBisagreatcandidateforasessionstoragesolutioninashare-nothing,distributedarchitecture.
13. B.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSshouldbeusedtodecouplethelargevolumeofinboundtransactions,allowingtheback-endservicestomanagethelevelofthroughputwithoutlosingmessages.
14. B,C,E.YoushouldprotectAWSuseraccesskeyslikeyouwouldyourcreditcardnumbersoranyothersensitivesecret.Usedifferentaccesskeysfordifferentapplicationssothatyoucanisolatethepermissionsandrevoketheaccesskeysforindividualapplicationsifanaccesskeyisexposed.Remembertochangeaccesskeysonaregularbasis.Forincreasedsecurity,itisrecommendedtoconfigureMFAforanysensitiveoperations.RemembertoremoveanyIAMusersthatarenolongerneededsothattheuser’saccesstoyourresourcesisremoved.Alwaysavoidhavingtoembedaccesskeysinanapplication.
15. A,B,E.YoucanenableAWSCloudTrailinyourAWSaccounttogetlogsofAPIcallsandrelatedevents’historyinyouraccount.AWSCloudTrailrecordsalloftheAPIaccesseventsasobjectsinanAmazonS3bucketthatyouspecifyatthetimeyouenableAWSCloudTrail.YoucantakeadvantageofAmazonS3’sbucketnotificationfeaturebydirectingAmazonS3topublishobject-createdeventstoAWSLambda.WheneverAWSCloudTrailwriteslogstoyourAmazonS3bucket,AmazonS3cantheninvokeyourAWSLambdafunctionbypassingtheAmazonS3object-createdeventasaparameter.TheAWSLambdafunctioncodecanreadthelogobjectandprocesstheaccessrecordsloggedbyAWSCloudTrail.
16. B.AmazonGlacierenablesbusinessesandorganizationstoretaindataformonths,years,ordecades,easilyandcosteffectively.WithAmazonGlacier,customerscanretainmoreoftheirdataforfutureanalysisorreference,andtheycanfocusontheirbusinessinsteadofoperatingandmaintainingtheirstorageinfrastructure.CustomerscanalsouseAmazonGlacierVaultLocktomeetregulatoryandcompliancearchivingrequirements.
17. A.ManycompaniesthatdistributecontentviatheInternetwanttorestrictaccesstodocuments,businessdata,mediastreams,orcontentthatisintendedforselectedusers,suchasuserswhohavepaidafee.ToservethisprivatecontentsecurelyusingAmazonCloudFront,youcanrequirethatusersaccessyourprivatecontentbyusingspecialAmazonCloudFront-signedURLsorsignedcookies.
18. B.AmazonS3provideshighlydurableandavailablestorageforavarietyofcontent.AmazonS3canbeusedasabigdataobjectstoreforallofthevideos.AmazonS3’slowcostcombinedwithitsdesignfordurabilityof99.999999999%andforupto99.99%availabilitymakeitagreatstoragechoicefortranscodingservices.
19. A.AnAvailabilityZoneconsistsofoneormorephysicaldatacenters.Availabilityzoneswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.Thisallowsyoutodistributeyourapplicationacrossdatacenters.Intheeventofacatastrophicfailureinadatacenter,theapplicationwillcontinuetohandlerequests.
20. C.YoucanuseaNATgatewaytoenableinstancesinaprivatesubnettoconnecttotheInternetorotherAWSservices,butpreventtheInternetfrominitiatingaconnectionwiththoseinstances.IfyouhaveresourcesinmultipleAvailabilityZonesandtheyshareoneNATgateway,resourcesintheotherAvailabilityZonesloseInternetaccessintheeventthattheNATgateway’sAvailabilityZoneisdown.TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
ComprehensiveOnlineLearningEnvironmentRegisteronSybex.comtogainaccesstothecomprehensiveonlineinteractivelearning
environmentandtestbanktohelpyoustudyforyourAWSCertifiedSolutionsArchitect-Associateexam.
Theonlinetestbankincludes:
AssessmentTesttohelpyoufocusyourstudytospecificobjectives
ChapterTeststoreinforcewhatyou'velearned
PracticeExamstotestyourknowledgeofthematerial
DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam
SearchableGlossarytodefinethekeytermsyou'llneedtoknowfortheexam
Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothiscomprehensivestudytoolpackage.
WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.