Introduction

This document contains all important points related to AWS Cloud Services which we prepared for Associate Architect Exams. Also, this contains some basic Architect diagrams for the reference. Please add an important point in the comment section.


S. No.	Important Point(s)
1.	AWS stands for Amazon Web Services.
2.	Six advantages of cloud computing: o Global in minutes o Variable vs capital expense o Stop guessing capacity o Economies of Scale o Focus on business differentiators o Increase speed and agility
3.	You can achieve high availability by deploying your application across multiple Availability Zones. Redundant instances for each tier (for example, web, application, and database) of an application should be placed in distinct Availability Zones, thereby creating a multi site solution. At a minimum, the goal is to have an independent copy of each application stack in two or more Availability Zones.
4.
5.	NAT instances are EC2 instances running in public subnet that allows EC2 instances running in the private subnet to connect to internet. NAT instances requires a security group to be configured to allow the ingress and egress traffic from and to the internet. NAT gateway doesn’t need to be behind a security group as opposed to NAT instances which are always behind a security group. NAT gateway are highly available and created with redundancy in the availability zone. NAT gateway supports the bandwidth bursts of up to 10 Gbps.
6.	An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC. An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect. You can create multiple endpoints for a single service, and you can use different route tables to enforce different access policies from different subnets to the same service.
7.	Amazon VPC endpoints currently support communication with Amazon Simple Storage Service (Amazon S3), and other services are expected to be added in the future.
8.	Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network.
9.	A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.
10.	A security group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances.
11.	All Amazon EC2 instances must be launched into a security group. If a security group is not specified at launch, then the instance will be launched into the default security group for the Amazon VPC. The default security group allows communication between all resources within the security group, allows all outbound traffic, and denies all other traffic.
12.	You can create up to 500 security groups for each Amazon VPC. You can add up to 50 inbound and 50 outbound rules to each security group. If you need to apply more than 100 rules to an instance, you can associate up to five security groups with each network interface. You can specify allow rules, but not deny rules. This is an important difference between security groups and ACLs. You can specify separate rules for inbound and outbound traffic.
13.	A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level.Overall, every subnet must be associated with a network ACL.
14.	By default, any instance that you launch into a private subnet in an Amazon VPC is not able to communicate with the Internet through the IGW. This is problematic if the instances within private subnets need direct access to the Internet from the Amazon VPC in order to apply security updates, download patches, or update application software. AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets to gain Internet access.
15.	For common use cases, we recommend that you use a NAT gateway instead of a NAT instance. The NAT gateway provides better availability and higher bandwidth, and requires less administrative effort than NAT instances.
16.	To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.
17.	A VPC consists of the following components: Subnets Route tables DHCP option sets Security groups Network ACLs
18.	A VPC has the following optional components: IGWs EIP addresses Endpoints Peering NAT instance and NAT gateway VPG, CGW, and VPN
19.	Elastic Load Balancing is a highly available service itself and can be used to help build highly available architectures.
20.	An AWS recommended best practice is always to reference a load balancer by its DNS name, instead of by the IP address of the load balancer, in order to provide a single, stable entry point.
21.	To ensure that the load balance is responsible for closing the connections to your back-end instance, make sure that the value you set for the keep-alive time is greater than the idle timeout setting on your load balance.
22.	Long-running applications will eventually need to be maintained and updated with a newer version of the application. When using Amazon EC2 instances running behind an Elastic Load Balancing load balancer, you may deregister these long-running Amazon EC2 instances associated with a load balancer manually and then register newly launched Amazon EC2 instances that you have started with the new updates installed.
23.	Manual scaling out can be very useful to increase resources for an infrequent event, such as the release of a new game version that will be available for download and require a user registration. For extremely large-scale events, even the Elastic Load Balancing load balancers can be pre-warmed by working with your local solutions architect or AWS Support.
24.	Recurring events such as end-of-month, quarter, or year processing, or scheduled and recurring automated load and performance testing, can be anticipated and Auto Scaling can be ramped up appropriately at the time of the scheduled event.
25.	Auto Scaling has several components that need to be configured to work properly: a launch configuration, an Auto Scaling group, and an optional scaling policy.
26.	Scale out quickly; scale in slowly.
27.	Using IAM roles for Amazon EC2 removes the need to store AWS credentials in a configuration file.
28.	Using predefined managed policies ensures that when new permissions are added for new features, your users will still have the correct access.
29.	A good first step is to use the root user to create a new IAM group called “IAM Administrators” and assign the managed policy, “IAMFullAccess.” Then create a new IAM user called “Administrator,” assign a password, and add it to the IAM Administrators group. At this point, you can log off as the root user and perform all further administration with the IAM user account.
30.	MFA requires you to verify your identity with both something you know and something you have.
31.	Access keys should be rotated on a regular schedule.
32.	All the appropriate policies are evaluated; if there is an explicit “deny” found in any policy, the request is denied and evaluation stops.
33.	If there are no explicit “allow” or “deny” permissions found, then the default “deny” is maintained and the request is denied.
34.	The policy cannot override any permission that is denied by default in the role
35.	The three principals that can authenticate and interact with AWS resources are the root user, IAM users, and roles. The root user is associated with the actual AWS account and cannot be restricted in any way. IAM users are persistent identities that can be controlled through IAM. Roles allow people or processes the ability to operate temporarily with a different identity. People or processes assume a role by being granted a temporary security token that will expire after a specified period of time.
36.	A policy is a JSON document that defines one or more permissions to interact with AWS resources. Each permission includes the effect, service, action, and resource. It may also include one or more conditions. AWS makes many predefined policies available as managed policies.
37.	An authenticated principal is associated with zero to many policies. For an IAM user, these policies may be attached directly to the user account or attached to an IAM group of which the user account is a member. A temporary security token is associated with policies by assuming an IAM role.
38.	MFA increases the security of an AWS account by augmenting the password (something you know) with a rotating OTP from a small device (something you have), ensuring that anyone authenticating the account has both knowledge of the password and possession of the device. AWS supports both Gemalto hardware MFA devices and a number of virtual MFA apps.
39.	To protect your AWS infrastructure, access keys should be rotated regularly. AWS allows two access keys to be valid simultaneously to make the rotation process straightforward: Generate a new access key, configure your application to use the new access key, test, disable the original access key, test, delete the original access key, and test again.
40.	Roles are the basis for federating external IdPs with AWS. You configure an IAM IdP to interact with the external IdP, the authenticated identity from the IdP is mapped to a role, and a temporary security token is returned that has assumed that role. AWS supports both SAML and OIDC IdPs.
41.	Resolving multiple permissions is relatively straightforward. If an action on a resource has not been explicitly allowed by a policy, it is denied. If two policies contradict each other; that is, if one policy allows an action on a resource and another policy denies that action, the action is denied. While this sounds improbable, it may occur due to scope differences in a policy. One policy may expose an entire fleet of Amazon EC2 instances, and a second policy may explicitly lock down one particular instance.
42.	Existing databases can be migrated to Amazon RDS using native tools and techniques that vary depending on the engine. For example with MySQL, you can export a backup using mysqldump and import the file into Amazon RDS MySQL. You can also use the AWS Database Migration Service, which gives you a graphical interface that simplifies the migration of both schema and data between databases. AWS Database Migration Service also helps convert databases from one database engine to another.
43.	For most applications, General Purpose (SSD) is the best option and provides a good mix of lower-cost and higher-performance characteristics.
44.	You can create one or more replicas of a database within a single AWS Region or across multiple AWS Regions. To enhance your disaster recovery capabilities or reduce global latencies, you can use cross-region read replicas to serve read traffic from a region closest to your global users or migrate your databases across AWS Regions.
45.	A COPY command can load data into a table in the most efficient manner, and it supports multiple types of input data sources. The fastest way to load data into Amazon Redshift is doing bulk data loads from flat files stored in an Amazon Simple Storage Service (Amazon S3) bucket or from an Amazon DynamoDB table.
46.	For mobile applications, a best practice is to use a combination of web identity federation with the AWS Security Token Service (AWS STS) to issue temporary keys that expire after a short period.
47.	Amazon RDS currently supports six relational database engines: Microsoft SQL Server MySQL Server Oracle PostgreSQL MariaDB Amazon Aurora
48.	NoSQL databases are non-relational databases, meaning that you do not have to have an existing table created in which to store your data. NoSQL databases come in the following formats: Document databases Graph stores Key/value stores Wide-column stores
49.	Routing Policies • Simple • Weighted • Latency • Failover • Geolocation • Multi Value
50.	Amazon SQS is a fast, reliable, scalable, and fully managed message queuing service. Amazon SQS makes it simple and cost effective to decouple the components of a cloud application. You can use Amazon SQS to transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be continuously available.
51.

52.	Amazon SQS supports up to 12 hours’ maximum visibility timeout.
53.	The messages are identified via a globally unique ID that Amazon SQS returns when the message is delivered to the queue. The ID isn’t required in order to perform any further actions on the message, but it’s useful for tracking whether a particular message in the queue has been received. When you receive a message from the queue, the response includes a receipt handle, which you must provide when deleting the message.
54.	Amazon SQS uses three identifiers that you need to be familiar with: queue URLs, message IDs, and receipt handles.
55.	AWS provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.
56.	Six advantages of Cloud Computing are • Trade capital expense for variable expense • Benefits from massive economies of scale • Stop guessing capacity • Increase speed and agility • Stop spending money running and maintaining data centers • Go global in minutes•
57.	Avoid undifferentiated work such as procurement, maintenance, and capacity planning.
58.	Infrastructure as a Service, Platform as a Service, and Software as a Service
59.	The AWS Cloud infrastructure is built around AWS Regions and Availability Zones.
60.	AWS Cloud operates in over 60 Availability Zones within over 20 geographic Regions around the world,
61.	Benefits of AWS Security • Keep your data safe • Meet compliance requirements • Save money • Scale quickly
62.	The following is a partial list of assurance programs with which AWS complies: • SOC 1/ISAE 3402, SOC 2, SOC 3 • FISMA, DIACAP, and FedRAMP • PCI DSS Level 1 • ISO 9001, ISO 27001, ISO 27017, ISO 27018
63.	To access the services, you can use the AWS Management Console, the Command Line Interface, or Software Development Kits (SDKs).
64.	Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.
65.	Amazon Kinesis currently offers four services: Kinesis Data Firehose, Kinesis Data Analytics, Kinesis Data Streams, and Kinesis Video Streams.
66.
67.

Introduction

S. No.

Important Point(s)

1.

AWS stands for Amazon Web Services.

2.

Six advantages of cloud computing:

o Global in minutes

o Variable vs capital expense

o Stop guessing capacity

o Economies of Scale

o Focus on business differentiators

o Increase speed and agility

3.

4.

5.

NAT instances are EC2 instances running in public subnet that allows EC2 instances running in the private subnet to connect to internet.

NAT instances requires a security group to be configured to allow the ingress and egress traffic from and to the internet.

NAT gateway doesn’t need to be behind a security group as opposed to NAT instances which are always behind a security group.

NAT gateway are highly available and created with redundancy in the availability zone. NAT gateway supports the bandwidth bursts of up to 10 Gbps.

6.

7.

Amazon VPC endpoints currently support communication with Amazon Simple Storage Service (Amazon S3), and other services are expected to be added in the future.

8.

Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network.

9.

A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.

10.

A security group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances.

11.

12.

You can create up to 500 security groups for each Amazon VPC.

You can add up to 50 inbound and 50 outbound rules to each security group. If you need to apply more than 100 rules to an instance, you can associate up to five security groups with each network interface.

You can specify allow rules, but not deny rules. This is an important difference between security groups and ACLs.

You can specify separate rules for inbound and outbound traffic.

13.

A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level.Overall, every subnet must be associated with a network ACL.

14.

By default, any instance that you launch into a private subnet in an Amazon VPC is not able to communicate with the Internet through the IGW. This is problematic if the instances

within private subnets need direct access to the Internet from the Amazon VPC in order to apply security updates, download patches, or update application software. AWS provides NAT

instances and NAT gateways to allow instances deployed in private subnets to gain Internet access.

15.

For common use cases, we recommend that you use a NAT gateway instead of a NATinstance. The NAT gateway provides better availability and higher bandwidth, and requiresless administrative effort than NAT instances.

16.

To create an Availability Zone-independent architecture, create a NAT gateway in

each Availability Zone and configure your routing to ensure that resources use the NAT

gateway in the same Availability Zone.

17.

A VPC consists of the following components:

Subnets

Route tables

DHCP option sets

Security groups

Network ACLs

18.

A VPC has the following optional components:

IGWs

EIP addresses

Endpoints

Peering

NAT instance and NAT gateway

VPG, CGW, and VPN

19.

Elastic Load Balancing is a highly available service itself and can be used to help

build highly available architectures.

20.

An AWS recommended best practice is always to reference a load balancer by its

DNS name, instead of by the IP address of the load balancer, in order to provide a single,

stable entry point.

21.

To ensure that the load balance is responsible for closing the connections to your

back-end instance, make sure that the value you set for the keep-alive time is greater

than the idle timeout setting on your load balance.

22.

Long-running applications will eventually need to be maintained and updated with a

newer version of the application. When using Amazon EC2 instances running behind an

Elastic Load Balancing load balancer, you may deregister these long-running Amazon

EC2 instances associated with a load balancer manually and then register newly

launched Amazon EC2 instances that you have started with the new updates installed.

23.

For common use cases, we recommend that you use a NAT gateway instead of a NAT
instance. The NAT gateway provides better availability and higher bandwidth, and requires
less administrative effort than NAT instances.