AWS: Certified Cloud Practitioner

Some last notes I took before taking and passing the AWS Certified Cloud Practitioner Exam (February 22, 2022).

Key areas I wanted to focus on and understand better.

Databases

DynamoDB - Unstructured NoSQL, auto-scales
Aurora - Cloud-first MySQL and Postgres replacement, self-healing, Aurora is more performant, durable, scalable, resilient than RDS
Redshift - data warehouse
RDS - Managed DB, more DB’s supported than Aurora (Oracle)

AWS Billing and Cost Management Tools

By order of information:

AWS Cost Explorer - query resource cost via API, visual UI, the highest level of granularity
AWS Cost Reports - generates S3 reports
AWS Budget - predict spending, optimize use, some forecasting
AWS data migration tools

By order of max data to transfer:

Snowcone - GB to TB
Snowball Edge
Snowmobile - TB to PB

AWS IAM distinctions

Policy - an object that defines an identity’s permissions
Role - groupings of policy that facilitates a specific set of responsibilities
User
Group

AWS Gateway differences

API - Allows access to API endpoints, methods
Internet - VPC to public internet, bidirectional
NAT - resources in VPC to public internet, unidirectional
File, Storage - optimizes multipart uploads and bandwidth for file uploading

AWS Identity Management services

Cognito vs AWS SSO - Access to Apps, Services vs. Access Across AWS Accounts

Note that AWS SSO has been deprecated and replaced with AWS IAM Identity Center.

Different AWS security services

AWS Inspector - Finds and identifies security vulnerabilities and security best practices, EC2
AWS Trusted Advisor - AWS best practices (general), an AWS Support service
AWS Security Hub - Integrates with Trusted Advisor, finds and recommends improvements to security practices
AWS GuardDuty - Threat analysis on logs

App/Resource security:

AWS Shield - DDOS
AWS WAF - web app exploits
AWS Network Firewall - inbound, outbound rules

Keys/licenses:

Secrets Manager - App secrets, DB credentials
KMS, CloudHMS - generates and signs cryptographic keys - ERC20, SSL, Web Server identity verification
Artifact - Compliance
IAM - Permissions
Certificate Manager - TLS

AWS network security differences

Network ACL - applies to VPC
Network Security - applies to instances
AWS Network Firewall - applies to networks

Response Times

Business
- < 4 hours production system impaired
- < 1-hour production system down
Enterprise
- < 4 hours production system impaired
- < 1-hour production system down
- < 15-minute business critical
- Also, only one that has Technical Account Manager
- Concierge support

Resources and Links

AWS SAA-C03: Overview

Some notes I took before taking the AWS Certified Solutions Architect - Associate Exam.

Key areas I wanted to focus on and understand better.

Conventions

I'll use the stylistic format AWS <SERVICE_NAME> to indicate an AWS Service rather than a feature of that Service.

Test Topics

Test Topics and some of their associated services.

Domain 1: Design Secure Architectures - 30%
- AWS IAM
- AWS Control Tower
- AWS KMS
- AWS Cognito
- AWS Guard Duty
- AWS Macie
- AWS Shield
- AWS WAF
- AWS Secrets Manager
- AWS VPC
- AWS Storage Services
Domain 2: Design Resilient Architectures - 26%
- AWS SQS
- AWS Secrets Manager
- AWS SNS
- AWS Fargate
- AWS Lambda
- AWS API Gateway
- AWS Transfer Gateway
- ALB
- AWS Route 53
Domain 3: Design High-Performing Architectures - 24%
- AWS S3
- AWS Batch
- AWS Athena
- AWS Lake Formation
- AWS Storage Gateway
- Amazon Kinesis
- AWS CloudFront
- AWS DirectConnect
- AWS VPN
- AWS EFS
- AWS EBS
- AWS Elasticachae
- AWS Data Sync
- AWS Glue
- AWS EMR
Domain 4: Design Cost-Optimized Architectures - 20%
- AWS Cost Explorer
- AWS Cost Reports
- AWS Budget

High Availability

AWS Regions and Availability Zones

Typically 3 (max 6) Availability Zones per AWS Region

Replication

Replication across multiple Availability Zones is synchronous
Read-replicas (AWS Aurora, AWS RDS, etc.) follow asynchronous replication

Disaster Recovery

Multi-Site - A multi-site solution that runs in AWS (in parallel in the cloud) along with your exsiting on-site infrastructure.
Warm Standby - A scaled-down version of the environment is always running.
Pilot Light - A minimal version of an environment is always running.
Backup and Restore - Data is backup and used as a restore point.

Resources and Links

AWS SAA-C03: IAM

Some finer distinctions

Policy - An object that defines an identity’s permissions
- Can be attached to Groups
- Can be grouped into Roles
Role - Groupings of policies that facilitate a specific set of responsibilities
Groups - Only contain Users, not Groups
Users - Can belong to no Group or many Groups
Root - Created by default and used to manage the AWS IAM account itself
- Super user
- Should create and use Admin users over the course of normal administration

Kinds of IAM Policies

Identity-Based - granted to an Identity (User)
Resource-Based - granted to an AWS Resource (like an AWS Lambda Function)
Session-Based - granted programmatically, by session when an IAM Role is assumed

Policy Evaluation Logic

Evaluation Factors

Identity-Based policies
Resource-Based policies
IAM Permission Boundaries - sets the maximum permission an Identity-based policy can grant to an IAM User or IAM Role
AWS Organizations Service Control Policies (SCPs) - defined at the AWS Organization level
Session policies - programmatically supplied

Precedence

In order of precedence:

An explicit Deny
An Allow within a Service Control Policy
- If not, implicitly Deny
An Allow granted to a Resource and by an associated Resource-Based Policy
An Allow granted to an Identity and by an associated Identity-Based Policy
- If not, implicitly Deny
An Allow granted within a Permissions Boundary
- If not, implicitly Deny
An Allow granted to a Session Principal: (a) with a Session Policy or (b) within a Role Session
- If not, implicitly Deny

AWS Organizations

An account management service that consolidates multiple AWS Accounts into a higher, top-level, organizational unit.
Consolidated Billing for all associated/grouped Accounts.
Global, cross-regional.

AWS Directory Services

AWS Managed Microsoft Active Directory.

AWS Control Tower

Simplifies and standardizes the setup and governance of AWS multi-account environments.
Extends AWS Organizations.

Resources and Links

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics

AWS SAA-C03: Security

General AWS security.

Tokens

AWS STS

AWS Session Token Service

Provides temporary credentials for an AWS Account or IAM User.
One-time use or until the token expires
- Can be better for granting temporary permissions than setting an IAM Policy or assuming a Role

Secrets

AWS KMS

AWS Key Management Service

AWS KMS manages encryption Keys.
KMS Keys
- Symmetric AES-256
- Asymmetric RSA, ECC
- Multi-region Keys
  - Managed independently although they can be used interchangeably.
  - Destroying one does not destroy the others.
Integrates with most AWS Services.

AWS SSM

Secure store for configuration and secrets.
Optional AWS KMS integration.

AWS Secrets Manager

Newer service for storing secrets.
Can configure forced rotation of secrets every specified number of days.
Using AWS KMS to encrypt secrets.

TLS and SSL

AWS Certificate Manager

Manage, deploy, and provision TLS and SSL certificates.
Supports both public and private certificates.
Supports automatic certificate renewal.
Integrates with:
- AWS API Gateway
- Application Load Balancers

Doesn't integrate with AWS EC2.

Firewalls

AWS WAF

For protecting web apps from common web exploits (Layer 7, HTTP)
Deployed on:
- Application Load Balancers
- AWS API Gateways
- AWS CloudFront
- AWS APPSync GraphQL API
- AWS Cognito User Pool
Define Web Access Control Lists (ACLs):
- HTTP Method
- IP Address
- Geo-region

AWS Firewall Manager

Manage rules for all AWS Accounts in an AWS Organization
Common sets of security rules for:
- AWS WAF
- AWS Shield Advanced
- AWS EC2 Security Groups
- AWS Network Firewall (VPC)
- AWS Route 53 Resolver DNS Firewall

DDoS

AWS Shield

Distributed Denial of Service (DDoS) protection.
AWS Shield Standard - Free.
AWS Shield Advanced - $3,000/month per AWS Organization.

Automated Detection

AWS GuardDuty

Intelligent thread discovery to protect AWS Accounts.
Uses Machine Learning to discover anomaly, 3rd party data.
Sources data from:
- AWS CloudTrail Event Logs
- VPC Flow Logs
- DNS Logs
- Kubernetes Audit Logs
Can define AWS EventBridge Rules to trigger on findings.

AWS Inspector

Automated security assessments for EC2 Instances, container images, Lambda Functions.

AWS Macie

Machine Learning and pattern matching service to detect sensitive data in AWS.
Identifies PII.
Available for AWS S3 only.

Active Directory

AWS AWS Directory Service

AWS Directory Service for Microsoft Active Directory - specific to Microsoft AD
- AWS Managed Microsoft Active Directory (AD)
- Fully-managed by AWS
Integrates with AWS IAM

Federated Services

Allows multiple identity providers to be combined into a single authentication and authorization process.
Allows multiple identity managment systems to be interoperable.
Allows other trusted identity managmenet systems to verify the identity of a user for the others.

AWS SAA-C03: Monitoring

AWS CloudWatch

Monitoring, logging, metrics, alarm

CloudWatch Alarms

Associate with Log Filter Expressions, Metrics.
Trigger based on certain conditions or states.
Composite Alarms monitor multiple other Alarms.

CloudWatch Logs

Log Groups - represents an application.
Log Streams - specific containers, application instances, etc.
Filter Expression - can query across Log Events and trigger Alarms.
Can define Expiration Policies.

CloudWatch Metrics

Use prebuilt or define customized Metrics to associate with Alarms, dashboards.
Belong to CloudWatch Namespaces.
Timestamped

Unified CloudWatch Agent

Deployed onto a AWS EC2 Instance
Used to observe customized metrics (like on Instance CPU use) and send them to AWS CloudWatch

AWS Event Bridge

Schedule Cron Jobs.
Or define reactive rules to respond to a service doing something.
Integrates with most other AWS services.

AWS Cloud Trail

Provides governance, compliance, and auditing for AWS Accounts.
Trace API calls made within an AWS Account across multiple services.

Cloud Trail Events:

Management Events - track operations performed on AWS Resources.
Data Events - Lambda invocation events, API calls, etc.
Insight Events - detect unusual activity, anomalous patterns.

AWS Config

Used to assess, audit, and evaluate the configurations of AWS resources.

Config Rules - evaulate the config settings of AWS resources.
- Managed Rules - predefined.
- Customized Rules - customized by user.
Config Remediation - automatically remediates non-compliant resources such as AWS EC2 and AWS S3.
Config Notifications - notifies when the configuration of monitored resources change.

AWS SAA-C03: CloudFront

AWS CloudFront Price Classes

In order by included regions.

Price Class All - all regions, best performance.
Price Class 200 - most regions but excludes the most expensive regions.
Price Class 100 - only the least expensive regions.

AWS CloudFront Features

Geo-Restriction - restrict by AWS Region.
Integrates with AWS WAF.
Cache Invalidation - set a Time to Live (TTL) and automatically delete files from the cache you're serving from.

AWS Global Accelerator

Uses the AWS internal network to route applications.
Uses Edge Locations to send traffic to your app.
Uses Anycast IP which is created for your app.
- All servers hold the same IP Address.
- A client is routed to the nearest one.

AWS Global Accelerator is usually a better option than Route 53 Geoproximity Routing for large, globally distributed, apps.

AWS SAA-C03: Networking

VPC

Virtual Private Cloud

5 allowed per AWS Region
The maximum Classless Inter-Domain Routing (CIDR) per AWS VPC is 5:
- Min size is /28 (16 IP Addresses)
- Max size is /16 (65536 IP Addresses)
- (The lower the CIDR Length, the more IP Addresses are available.)
Only Private IPv4 Address ranges are allowed:
- 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
Example:
- A VPC is defined with IPv4 CIDR block: 10.0.0.0/24:
  - The VPC supports 256 IP Addresses.
  - One can then define two subnets within the VPC each with 128 IP Addresses.

VPC CIDRs should not use IP Addresses that overlap.

Refer to: https://stackoverflow.com/a/56834387 and IP Addresses.

And: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html

Also: https://www.rfc-editor.org/info/rfc1918

VPC Subnet

AWS reserves 5 IP (IPv4) Addresses in each Subnet. For example, given CIDR block 10.0.0.0/24:

10.0.0.0 would be reserved as the Network Address.
10.0.0.1 would be reserved for the VPC router.
10.0.0.2 would be reserved for mapping to the Amazon-provided DNS.
10.0.0.3 is reserved for future use.
10.0.0.255 - the Network Broad Address is not supported so AWS reserves this (to prevent it from being used).

VPC Peering

Privately connects two VPCs using AWS' own internal network.
Connected VPCs behave as if they are the same network.
Overlapping CIDRs shouldn't be used in any of the connected networks.

Endpoints

So-called Private Links.
Allows one to connect AWS Services using a Private Network rather than over the Public Internet.
Consider the scernario where an AWS Service (say AWS S3) must be connected to from within a Private VPC.
- One would define an Private Endpoint and/or Gateway Endpoint and connect without going through the Public Internet.

Flow Logs

Captures all information about network traffic:
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface Flow Logs
Used to troubleshoot connectivity issues.

Traffic Mirroring

Duplicate network traffic/requests so they can be sent to security appliances.
Used to capture and inspect network traffic within a VPC.
Monitor, troubleshoot, inspect connectivity, security, and traffic.

Network Security

Network and VPC-specific security.

Bastion Host

SSH Bastion (Jump) Host.
Configuration:
- Bastion Host Security Group: Allow the Inbound Port 22 on a restricted CIDR (say, the public CIDR being used).
  - This allows authenticated persons to connect using SSH for further verification.
- EC2 Instance Security Groups: Allow the Inbound Private IP of the Bastion Host (or its Security Group)
  - Allows the Bastion Host to jump to the EC2 Instances

NAT Instance

Network Address Translation

Allows EC2 Instances in Private Subnets to connect to the internet.
Requirements:
- Must be launched in a Public Subnet.
- Must disable EC2 setting: Source / destination Check.
- Must have an Elastic IP attached to it.

Deprecated but still tested for in the exam apparently.

NACL

Network Access Control List

Controls traffic from and to Subnets.

Network Firewall

Protects a VPC.
From Layer 3 to Layer 7 protection.

Remote Access

Site to Site VPN

A fully-managed Virtual Private Network (VPN).
Creates a secure connection between an on-premises VPN and an AWS VPC in the cloud.

Direct Connect

Provides a dedicated private connection from a remote network to a VPC.

Gateways

Used to connect networks (and often for Remote Access scenarios).

Virtual Private Gateway

Used to facilitate a Site-to-Site VPN connection.
Attached to the VPC one will be connecting a VPN to.

Customer (Device) Gateway

A physical device that connects a physical, remote, network to an AWS VPC in the cloud.

Transit Gateway

Used to simplify complex network topologies.
Cross-regional connections.
Can peer Transit Gateways across AWS Regions.
Examples:
- Hub-and-Spoke (star) topology connecting 6 VPCs across 4 AWS Regions.
- Connecting 3 VPCs (A,B,C) so that A is connected to B and B is connected to C but not A to C or vice-versa.

Internet Gateway

Define Route Tables.
Specifies routing for inbound and outbound traffic.

NAT Gateway

Connects EC2 Instances in a Private Subnet to a Public Subnet.
Deployed in a Public Subnet with Private Subet Route Tables updated to point internet-bound traffic to the NAT Gateway.

Resources and Links

AWS SAA-C03: Route53

A Domain Registrar
Handles typical DNS attributes:
- A - maps to IPv4
- AAAA - maps to IPv6
- CNAME - maps Hostname to another Hostname
- NS - specify Name Servers for DNS resolution
Handles record settings:
- TTL
- Routing/forwarding

Public vs Private

Private Hosted Zone
- Records that determine how to route traffic in a VPC
Public Hosted Zone
- Records that determine how to route traffic on the internet

Routing

Geolocation - route by user location
Weighting
- Controls the percentage of requests and traffic that go to a specific resource or URL
- Assign by relative weight
Failover - route to a backup location

Health Checks

AWS Route 53 Health Checks can be configured to monitor:

Endpoints - are associated with AWS Data Centers.
- AWS Route 53 will periodically ping so-configured Endpoints.
Other Health Checks
- Called a Calculated Health Check.
- A compound, combined, or complex Health Check.
Cloud Watch Alarms and the underlying Metrics that are used to configure that Alarm.
- Will source its data from the underlying Metrics .
- Or, from an Alarm Data Stream (used to calculate the state of the Alarm).

Furthermore:

A Health Check can transmit its Status to an (another) Alarm as the data source for that Alarm.
Health Checks can trigger Alarms.
Health Checks can send notifications (via AWS SNS).

Comparing Kinds of Health Checks

Consider an EC2 Auto-Scaling Group vs an ALB Health Check:

ALB Health Check - ALB Health Check type
- Cannot be an EC2 Health Check
EC2 Auto-Scaling Group - EC2 Health Check type
- Can use ALB Health Check type
So, an ALB might terminate an EC2 Instance when an ASG does not.

Resources and Links

AWS SAA-C03: Messaging

AWS Simple Queue Service
AWS Simple Notification Service
AWS Kinesis

AWS SQS

Producer's send Messages to a (FIFO) Queue that Consumer's Poll
Default retention: 4 Days (maximum 14 Days)
Used to decouple Application Tiers
SQS scales automatically
An event in an SQS Queue is typically processed by one Consumer (e.g. - with Visibility Timeouts)

Queue Types

SQS Standard Queue
SQS Dead Letter Queue
SQS Delay Queue
SQS FIFO Queue

Batch

Up to 10 messages can be processed at once.

Visibility Timeout

Immediately after a message is received, it remains in the queue
Visibility Timeouts prevent other Consumers from processing the message agin
The default is 30 seconds

Polling

Short Polling
- Occurs repeatedly in short time-frames
- Queries only a subset of SQS servers
Long Polling
- Queries are made every 0-20 seconds (exclusive-inclusive)
- Queries the entire set of SQS servers
- Is AWS-recommended since it's less costly and more accurate

AWS SNS

Event Producer's send Messages to one SNS Topic
Event Receivers subscribe to an SNS Topic
The SNS Topic will broacast Messages to all Receivers
- An event is sent to and processed by all *Receivers

AWS Kinesis

Refer to Data

Collect, process, and analyze streaming data in real-time
IoT Telemetry
Kinesis Data Streams
Kinesis Data Firehose
Kinesis Data Analytics
Kinesis Video Streams

Partition Keys

AWS MQ

Specific to MQTT

AWS SAA-C03: Data Migration

AWS Snow Family

A device is provided to submit data to AWS directly (and physically) without using one's network.

Snowcone - up to Terrabytes
- HD - 8 TB of HDD Storage
- SSD - 14 TB of SSD Storage
Snowball Edge - up to Petabytes
- Storage Optimized - 80 TB
- Compute Optimize - 42 TB
Snomobile - up to Exabytes
- Typically, < 100 PB
- A physical semi-truck arrives and allows one to transfer up to 1 EB

AWS Edge Computing

Snowcone
Snowball Edge

AWS Transfer Family

Used for file transfers in and out of S3

Supports FTP, FTPS, SFTP
Managed infrastructure
Integrates with Active Directory, LDAP, Okta, AWS Cognito, etc.

AWS Migration Services

AWS App Migration - migrate a full application stack
AWS Database Migration - migrate databases

AWS DataSync

NFS, SMB, HDFS, S3
On-premises to cloud requires an agent to move data to and from
Syncs data using S3, EFS, and FSx

AWS Storage Gateway

Connects on-premises data and cloud data.
Typically used to backup data.
Types
- S3 File Gateway
  - NFS and SMB
  - Integrates with Active Directory
- FSx File Gateway
  - AWS access for Windows File Server
  - SMB, NTFS, and Active Directory
- Volume Gateway
  - iSCSI backed by S3
  - Backed by EBS Snapshots
- Tape Gateway
  - For physical tape drives
  - iSCI
  - Virtual Tape Library backed by S3

AWS FSx

FSx for Windows
FSx for Lustre

High performance computing
Machine learning
Linux cluster

FSx File System

Scratch: temporary is fast but impermanent
Persistent: data is persisted within the same Availability Zone

FSX for NetAPP

AWS SAA-C03: Other Data Services

Other AWS tools to process, ingest, query, store, and analyze data.

SQL Based

AWS Athena

Serverless service to query and analyze S3 data.
Supports CSV, JSON, ORC, Avro, and Parquet.

AWS Redshift

Based on PostgresSQL for Big Data analytics.
Query on multiple data sources.
Faster than Athena due to indexing.

AWS OpenSearch

Successor to ElasticSearch.
Security through Cognito, IAM, KMS encryption, TLS.

AWS EMR

Elastic MapReduce

Helps to provision and configure Hadoop.
Bundled with Apache Spark, HBase, Presto, Flink.
Composed of up to hundreds of EC2 Instances.

AWS QuickSight

Serverless machine learning, interactive dashboards.
For business analytics, visualizations, business insights, ad-hoc analysis.
In-memory SPICE engine for imported data.

AWS Glue Based

AWS Glue

Convert data into Parquet format as part of an ETL (Extract, Transform, Load) pipeline.
Converts CSV for use in Lambda Functions or AWS Athena.
Catalog of datasets.

AWS Lake Formation

Date Lake: a central place to store your data.
Clean, transform, discover, and ingest data into your Data Lake.
- Combine structured and unstructured data in your Data Lake.
Built on AWS Glue.
- With out-of-box blueprints for S3, RDS, Relational and NoSQL databases

AWS Kinesis Based

Refer to Messaging

Kinesis Data Streams are used to collect and process large streams of data records in real time.

Typically real-time data analytics.
Logs, metrics, and reporting.
Complex stream processing.
Can be combined or linked into Directed Acyclic Graphs.

Kinesis Data Firehose is used to stream data into Data Lakes, warehouses, and analytics services.

Used to load massive data sets.
Can load massive data sets from hundreds of thousands of sources that needn't be real-time data streams.

AWS Kinesis Data Analytics

Real-time analytics on Kinesis Data Streams and Firehose.

AWS Managed Streaming for Kafka

AWS Managed Streaming for Apache Kafka (AWS MSK):

Alternative to AWS Kinesis.
MSK creats and manages Kafka Broker and Zookeeper Nodes (in earlier versions of Kafka).
Data is stored in AWS EBS Volumes for indefinite periods of time.
Has a serverless mode.

AWS SAA-C03: Databases

Choose:

RDBMS
- AWS RDS
- AWS Aurora
NoSQL
- AWS DynamoDB (JSON)
- AWS ElastiCache (Key-Value)
- Neptune (Graph)
- AWS DocumentDB (MongoDB)
- AWS Keyspaces (Cassandra)
Object Store
- S3
Data Warehouse
- AWS Redshift
- AWS Athena
- AWS EMR
Search
- AWS OpenSearch (free text, unstructured search)
Graphs
- AWS Neptune
Ledger
- AWS Quantum Ledger Database
- AWS Managed Blockchain
Time Series
- AWS Timestream

AWS RDS

Postgres, MySQL, Oracle, MSSQL, MariaDB
For Relational Databases (SQL, JOIN, Table, Column)
Additional security through IAM, Security Groups, SSL
Support for auto-scaling, Read Replicas, and multiple Availability Zones

High Availability

Can provision DB Instances in Primary/Standby or Read Replica/Standby within the same AWS Region
- If so configured, Standby will be promoted to the Primary DB Instance (say, of several Read Replicas).
- If so configured, Standby will be promoted to a Read Replica if the primary Read Replica fails.
- Provides failover support
- Synchronous data replication
DB Instances can be placed into Multi-AZ clusters.

Read Replicas can be placed in differing Availability Zones within the same AWS Region.
Read Replicas can be promoted to the Primary DB Instance.

Note that DB updates incur downtime.

RDS Proxy

Allows apps to pool and share DB connections established with a database
Handles failovers itself and reduces failover time by 66%
Enforces IAM authentication for your databases
Is never publicly accessible (must be accessed from VPC)

AWS Aurora

Compatible with MySQL and Postgres
Highly distributed
- Stored in 6 replicas
- Across 3 Availability Zones
Self-healing, high availability, auto-scaling

Aurora Global Databases

AWS Aurora Global Databases are singular database instances that span multiple AWS Regions (as opposed to AWS DynamoDB Global Tables which are comprised of many replicated tables treated as one).

AWS DynamoDB

Managed serverless NoSQL database
Provisioned and optional auto-scaling capacity
DAX cluster for read cache
Automated backups up to 35 Days
Event processing - DynamoDB Streams integrate with AWS Lambda or Kinesis Data Streams
Highly available, multiple Availability Zones
Decoupled Reads and Writes

DynamoDB Accelerator

DynamoDB Accelerator (DAX) is a fully managed in-memory cache for AWS DynamoDB offering 10x performance.
Deployed as a cluster.

DynamoDB Global Tables

AWS DynamoDB Global Tables are comprised of many replicated tables distributed across several AWS Regions so that they:

Are treated as one sharing
Share the same primary key schema

AWS ElastiCache

Caches database data using Redis or Memcached:

Redis:
- Supports Sets and Sorted Sets
- Backup and restore features
- Read replicas for High Availability
- Multiple Availability Zones
Memcached:
- No High Availability
- No backup and restore
- Multithreaded

AWS Neptune

Fully managed Graph Database
Highly available across 3 Availability Zones
Up to 15 read replicas

AWS Keyspaces

A managed Apache Cassandra-compatible database service
Tables are replicated 3 times across multiple Availability Zones
Auto-scales Tables up and down based on traffic
Uses Cassandra Query Language (CQL)

AWS Quantum Ledger

2-3x better performance than common ledger blockchain frameworks
Can use SQL
Fully managed, serverless, with high availability replication across 3 Availability Zones
An immutable ledger

AWS SAA-C03: S3

Replication
(File) Versioning

AWS S3 Storage Classes

S3 Standard
- S3 Standard
S3 Intelligent-Tiering
- S3 Intelligent-Tiering
S3 Standard-Infrequent Access
- S3 Standard-IA
S3 One Zone-Infrequent Access
- S3 One Zone-IA
Archive
- S3 Glacier Instant Retrieval
- S3 Glacier Flexible Retrieval
- S3 Glacier Deep Archive

Note S3 Glacier has been renamed S3 Glacier Flexible Retrieval.

Pricing

AWS users pay for:

Hosting data in AWS S3
Updating or Copying data already in AWS S3
Requests made against items hosted in AWS S3

AWS users don't pay for:

There is no cost for uploading data into AWS S3 itself
- Although one might pay for transmitting data into a VPC or across AWS Regions

AWS S3 Data Retention

Glacial Vaults
S3 Object Lock - Retention Mode
- Governance mode - some special permissions can alter
- Compliance mode - no one one can alter
S3 Object Lock - Retention Period
- Legal Hold - locked until removed
- Retention Period - a specified period of time

AWS S3 Bucket Security Features

MFA -Multi-Factor Authentication
- Can be required for deletes
- Used to protect resources
By URL:
- CORS - Cross-Origin Resource Sharing - restrict resource access when not on same Domain
- Pre-Signed URLs - white list which URLs S3 GET / PUT requests can come from
File Encryption - Server-Side Encryption (SSE)
- SSE-S3 - default
- SSE-KMS - SSE with AWS KMS
- SSE-C - SSE with Customer Provided Keys
Bucket Policies

Other Features

S3 Batch Operations - use S3 Batch and the S3 API
Supports multi-part uploading
S3 Transfer Accerlation uses intelligent routing to reduce the time and distance it takes to upload and download files from AWS S3
Versioning
Supports static site hosting
S3 Origins specify where AWS S3 gets content from to serve to viewers.
- Examples:
  - An S3 Bucket
  - An HTTP server running on AWS EC2

Static Websites

Allowed URL formats:

http://bucket-name.s3-website.Region.amazonaws.com
http://bucket-name.s3-website-Region.amazonaws.com

Resources and Links

https://aws.amazon.com/s3/storage-classes/

AWS SAA-C03: EC2

AWS EC2 Instance Purchasing Options

On-Demand - Pay by the second
Reserved - Reserve for 1 or 3 years
Spot - Request unused EC2 instances on the fly
Dedicated Hosts - Pay for a physical host that is fully dedicated to running your instances
Dedicated Instances - Pay by the hour for instances that run on single-tenant hardware
On-Demand Capacity Reservations - Reserve capacity for your instances in a specific Availability Zone for any duration.

Scheduled Reserved instances aren't presently offered.

Savings Plans can be used to reduce costs by making a commitment to a consistent amount of usage for 1 or 3 years.

AWS EC2 Reserved Instances

Reserved Instances - Reserved for 1 or 3 years.

Generally speaking, All Upfront payments will be lower in the long-run than No Upfront payments.

All Upfront - Complete payment at the start regardless of hours eventually used
Partial Upfront - Portion paid at the start with the remainder being billed at a fixed rate regardless of hours eventually used
No Upfront - Billed at a fixed rate regardless of hours eventually used

Reserved Instances have a Convertible payment option:

Convertible - Can be exchanged with another Convertible Reserved Instance
You cannot exchange:
- All Upfront Reserved Instances for No Upfront Convertible Reserved Instances.
- Partial Upfront Reserved Instances for No Upfront Convertible Reserved Instances.

AWS EC2 Instance Types

General Purpose - Balanced storage, compute, and memory
- M nomenclature (M5a, M6zn, etc.)
Compute Optimized - High-performance computing
- C nomenclature (C6g, C6i, etc.)
Memory Optimized - Large-in-memory instances. Great high-memory use resources like MySQL, Caching
- R nomenclature (R6a, R5n, etc.)
Storage Optimized - High, sequential read and write access to very large data sets on local storage. Great for databases
- D, I, H nomenclature (H1, D3, I3 etc.)

Public vs. Private IP

Public IP - Used on the public, global, internet/web. Not too Public IP Addresses can be the same
Private IP - Used within private, subnets

Placement Groups

Cluster - Same rack, Availability Zone. Fastest but most susceptible to risk factors
Spread - All the EC2 Instances are deployed on different hardware, Availability Zones, etc.
- Maximizes High Availability
- Limited to 7 Instances per Availability Zone
Partitions - Think muliple Cluster Placement Groups spread across multiple Availability Zones
- Up to 100s of Instances per Partition
- Up to 7 Partitions per Availability Zone

Elastic Network Interfaces

Can be attached and detached to EC2 Instances within the same Availability Zone
Used to assign a fixed Public or Private IP Address

AWS EC2 Hibernate

Stores RAM into a persistent state on an encrypted root EBS volume
Relaunching or restarting the Instance is much faster

Instance Store, EBS, and EFS

Root Volumes:

Can be an Instance Store
- Limited to 10GB
- Ephemeral stores for use with temporary data
Or a EBS Backed Root Volume
- Limited to 1TB

Comparison:

Instance Store:
- 1-1 with an Instance
- Has good I/O performance since they are directly attached
- They're ephemeral however and when they're lost, the Instance is lost and when they are turned off all persisted data is lost
Elastic Block Storage:
- Attach to one Instance at a time
- Locked at the Availability Zone (cannot be moved to another Availability Zone without a Restoration Snapshot)
- Better for long-term storage than Instance Stores
Elastic File Storage:
- Attaches to multiple (hundreds) Instances across the same Availability Zone a time
- Not limited to a single Availability Zone however
- Typically more expensive
- Networked storage

Load Balancers

AWS offers Elastic Load Balancer as a managed service. It comes in a few varieties:

Application Load Balancer:
- Layer 7 (HTTP), HTTP/2, WebSocket, HTTPS
- Application balancing
- Routing based on URL Path, Hostname, Query, Headers
- Routes to EC2 Instances, ECS Tasks, Lambda Functions, IP Address
Network Load Balancer:
- Layer 4 (TCP), TCP/UDP forwarding
- Extreme performance
- Routes based on IP Address not specific AWS service
Gateway Load Balancer:
- Layer 3 (Network), IP packets
- Uses Route Tables to route traffic for an entire VPC
- Primary use is to be the single place for all inbound traffic: firewall, security monitoring, packet analysis, etc.

Classic Load Balancers are being deprecated at the end of 2022.

The Sticky Session feature ensures that users are only connected to the same EC2 Instance (and the same application session, context).

Cross Zone Load Balancing:

Load balancing is split between all Instances across all Availability Zones
Otherwise each Instance in an Availability Zone will divide the assigned load balancing weight (for that Availability Zone) by the total number of Instances within that single Availability Zone

Auto-Scaling Groups

EC2 Instances can be combined into Auto-Scaling Groups
- EC2 Auto Scaling Launch Templates
- EC2 Auto Scaling Launch Configuration
- As a general rule of thumb: EC2 Auto Scaling Launch Templates > Launch Configurations
  1. They (Templates) provide moer configuration features
  2. They support multiple versions
  3. Templates are AWS-recommended
  4. The EC2 Instance with the oldest Launch Configuration is terminated first
They create new Instances and terminate them based on configureable triggers and Dynamic Scaling Policies
- For example: CloudWatch alarms
Auto-Scaling Group Minimum and Maximum Capacities apply to the total number of EC2 Instances across all Availability Zones

Lifecycle

Scaling Out takes precedence to Scaling In
- New EC2 Instances are launched before new ones are removed
Scaling In terminates EC2 Instances
- By default, the EC2 Instance with the oldest Launch Configuration is terminated first

Resources and Links

AWS SAA-C03: Containers

AWS Elastic Container Service

AWS ECS automatically increases and decreases the number of ECS Tasks.

ECS Auto Scaling Uses AWS Application Auto Scaling.
Target Tracking - scale based on a target CloudWatch Metric value.
Step Scaling - scale based on specified CloudWatch Alarm.
Scheduled Scaling - scale based on date/time.
If using the EC2 Launch Type:
- Auto Scaling Group Scaling - based on CPU usage.
- ECS Cluster Capacity Provider - allows EC2 Instances to be added based on missing capacity.

ECS Launch Types:

EC2
- Launch Docker containers on AWS.
- User provisions and mainttains the infrastructure (underlying EC2 Instances).
Fargate
- User just creates the Task Definitions.
- Serverless computing.
- User doesn't manage the underlying EC2 Instances.

IAM Roles:

EC2 Instance Profile
- EC2 Launch Type only.
ECS Task Role
- Assigned to a Task.

AWS Elastic Container Registry

Store and manage Docker images on AWS.
Private and Public repository.
Backed by S3.
Access via IAM permission.

AWS Elastic Kubernetes Service

Supports ECS.
Managed Node Groups.
Self-Managed Nodes.
AWS native solution for Kubernetes.

AWS AppRunner

Fully managed app service.
Builds and deploys apps.

AWS SAA-C03: Serverless

Serverless Computing is a paradigm where infrastructure is sold as a service (IAAS) in a fully managed way (abstracting away the underlying bare metal and operating system resources).

AWS Fargate

The user creates Task Definitions but AWS manages the rest of the ECS infrastructure
Limited to:
- 100 Tasks per Region per Account (default)
- 1,000 Tasks per Service
- By Amazon ECS Service Quotas (limits)

Consult the Elastic Container Service article.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-quotas.html

AWS Lambda

A user creates Lambda Functions but doesn't have to manage the underlying infrastructure to execute them.
Lambda Functions are associated with specific Endpoints in AWS API Gateway and are invoked using standard HTTP REST methods and URL context paths.
Lambda Functions are stateless.
Indeed, they are ideal for stateless
There's a small delay when a Lambda Function is first called.
- A Lambda Function Context is created from a Cold state (the underlying resources are initialized and made available).
- However, a Lambda Function Contexts exists for 15 minutes in a Hot state.
- So, sequential calls will execute without the initial delay.
Lambda Functions will timeout after 15 minutes.
The default maximum number of simultaneous concurrent connections for a single Lambda Function is 1000 within the same AWS Region (this can be increased by request).

IAM Policies

Execution Roles - grant a Lambda Function permission to access other resources or perform certain operations.
Resource-Based Policy - how a Lamba Function itself can be used, invoked, or called by users or other services.

AWS API Gateway

Connect AWS Lambda Functions to API Gateway Endpoints.
Associate each endpoint with HTTP methods (PUT, POST, GET, DELETE, PATCH, OPTIONS).
Can define HTTP Request and Response Schemas.

AWS Step Functions

For sequential or "chained" operations that might require a lengthy or significant amount of execution time.

Serverless Stack

A commonly found and fully Serverless stack will comprise:

AWS DynamoDB - fully managed serverless DB.
AWS DynamoDB DAX - for Caching and read acceleration
AWS Lambda
AWS Cognito - for identity management and user authentication

AWS Proton

AWS Proton standardizes serveless architecture deployments.

Resources and Links

AWS SAA-C03: Machine Learning

Image Recognition

AWS Rekognition

Facial analysis and search using Machine Learning (ML) for user verification.
Find objects, people, text, and images in photos or video.

Speech and Text

AWS Transcribe

Automatically convert speech to text.
Deep Learning (Automatic Speech Recognition - ASR)

AWS Polly

Convert text into speech.

AWS Translate

Language translation.

AWS Lex + Connect

Automatic Speech Recognition (ASR) to convert speech into text.
Natural Language Understanding to recognize the intent of text, callers.
For chatbots, call center bots.
Receive calls, create contact flows, cloud-based virtual contact center.

AWS Comprehend

Natural Language Processing (NLP) to find insights and relationships in text.
Fully managed, serverless.
Specialized service for unstructured medical/clinical text (HIPAA).

AWS Textract

Extract text, handwriting, and data from any scanned documents.
Extrac data from forms and tables.

Fully Managed Services

AWS SageMaker

Fully managed service for developers to build Machine Learning models.

AWS Forecast

Fully managed service for developers to build highly accurate forecasts.

AWS Kendra

Fully managed document search service.
Extracts answers from within a document.
Natural language search capabilities.

AWS Personalize

Fully managed service for making real-time personalized recommendations.

AWS DOP-C02: Overview

Notes I took before passing the AWS Certified DevOps Engineer - Professional (DOP-C02) Exam.

Test Topics

https://d1.awsstatic.com/training-and-certification/docs-devops-pro/AWS-Certified-DevOps-Engineer-Professional_Exam-Guide.pdf

Domain 1: SDLC Automation - 22% of scored content
- 1.1: Implement CI/CD pipelines.
  - Software development lifecycle (SDLC) concepts, phases, and models
  - Pipeline deployment patterns for single- and multi-account environments
  - Configuring code, image, and artifact repositories
  - Using version control to integrate pipelines with application environments
  - Setting up build processes (for example, AWS CodeBuild)
  - Managing build and deployment secrets (for example, AWS Secrets Manager, AWS Systems Manager Parameter Store)
  - Determining appropriate deployment strategies (for example, AWS CodeDeploy)
- 1.2: Integrate automated testing into CI/CD pipelines.
  - Different types of tests (for example, unit tests, integration tests, acceptance tests, user interface tests, security scans)
  - Reasonable use of different types of tests at different stages of the CI/CD pipeline
  - Running builds or tests when generating pull requests or code merges (for example, CodeBuild)
  - Running load/stress tests, performance benchmarking, and application testing at scale
  - Measuring application health based on application exit codes
  - Automating unit tests and code coverage
  - Invoking AWS services in a pipeline for testing
- 1.3: Build and manage artifacts.
  - Artifact use cases and secure management
  - Methods to create and generate artifacts
  - Artifact lifecycle considerations
  - Creating and configuring artifact repositories (for example, AWS CodeArtifact, Amazon S3, Amazon Elastic Container Registry [Amazon ECR])
  - Configuring build tools for generating artifacts (for example, CodeBuild, AWS Lambda)
  - Automating Amazon EC2 instance and container image build processes (for example, EC2 Image Builder)
- 1.4: Deployment strategies for instance, container, and serverless environments.
  - Deployment methodologies for various platforms (for example, Amazon EC2, Amazon Elastic Container Service [Amazon ECS], Amazon Elastic Kubernetes Service [Amazon EKS], Lambda)
  - Application storage patterns (for example, Amazon Elastic File System [Amazon EFS], Amazon S3, Amazon Elastic Block Store [Amazon EBS])
  - Mutable deployment patterns in contrast to immutable deployment patterns
  - Tools and services available for distributing code (for example, CodeDeploy, EC2 Image Builder)
  - Configuring security permissions to allow access to artifact repositories (for example, AWS Identity and Access Management [IAM], CodeArtifact)
  - Configuring deployment agents (for example, CodeDeploy agent)
  - Troubleshooting deployment issues
  - Using different deployment methods (for example, blue/green, canary)
Domain 2: Configuration Management and IaC - 17% of scored content
- 2.1: Define cloud infrastructure and reusable components to provision and manage systems throughout their lifecycle.
  - Infrastructure as code (IaC) options and tools for AWS
  - Change management processes for IaC-based platforms
  - Configuration management services and strategies
  - Composing and deploying IaC templates (for example, AWS Serverless Application Model [AWS SAM], AWS CloudFormation, AWS Cloud Development Kit [AWS CDK])
  - Applying CloudFormation StackSets across multiple accounts and AWS Regions
  - Determining optimal configuration management services (for example, AWS OpsWorks, AWS Systems Manager, AWS Config, AWS AppConfig)
  - Implementing infrastructure patterns, governance controls, and security standards into reusable IaC templates (for example, AWS Service Catalog, CloudFormation modules, AWS CDK)
- 2.2: Deploy automation to create, onboard, and secure AWS accounts in a multi-account or multi-Region environment.
  - AWS account structures, best practices, and related AWS services
  - Standardizing and automating account provisioning and configuration
  - Creating, consolidating, and centrally managing accounts (for example, AWS Organizations, AWS Control Tower)
  - Applying IAM solutions for multi-account and complex organization structures (for example, SCPs, assuming roles)
  - Implementing and developing governance and security controls at scale (AWS Config, AWS Control Tower, AWS Security Hub, Amazon Detective, Amazon GuardDuty, AWS Service Catalog, SCPs)
- 2.3: Design and build automated solutions for complex tasks and large-scale environments.
  - AWS services and solutions to automate tasks and processes
  - Methods and strategies to interact with the AWS software-defined infrastructure
  - Automating system inventory, configuration, and patch management (for example, Systems Manager, AWS Config)
  - Developing Lambda function automations for complex scenarios (for example, AWS SDKs, Lambda, AWS Step Functions)
  - Automating the configuration of software applications to the desired state (for example, OpsWorks, Systems Manager State Manager)
  - Maintaining software compliance (for example, Systems Manager)
Domain 3: Resilient Cloud Solutions - 15% of scored content
- 3.1: Implement highly available solutions to meet resilience and business requirements.
  - Multi-AZ and multi-Region deployments (for example, compute layer, data layer)
  - SLAs
  - Replication and failover methods for stateful services
  - Techniques to achieve high availability (for example, Multi-AZ, multi-Region)
  - Translating business requirements into technical resiliency needs
  - Identifying and remediating single points of failure in existing workloads
  - Enabling cross-Region solutions where available (for example, Amazon DynamoDB, Amazon RDS, Amazon Route 53, Amazon S3, Amazon CloudFront)
  - Configuring load balancing to support cross-AZ services
  - Configuring applications and related services to support multiple Availability Zones and Regions while minimizing downtime
- 3.2: Implement solutions that are scalable to meet business requirements.
  - Appropriate metrics for scaling services
  - Loosely coupled and distributed architectures
  - Serverless architectures
  - Container platforms
  - Identifying and remediating scaling issues
  - Identifying and implementing appropriate auto scaling, load balancing, and caching solutions
  - Deploying container-based applications (for example, Amazon ECS, Amazon EKS)
  - Deploying workloads in multiple Regions for global scalability
  - Configuring serverless applications (for example, Amazon API Gateway, Lambda, AWS Fargate)
- 3.3: Implement automated recovery processes to meet RTO and RPO requirements.
  - Disaster recovery concepts (for example, RTO, RPO)
  - Backup and recovery strategies (for example, pilot light, warm standby)
  - Recovery procedures
  - Testing failover of Multi-AZ and multi-Region workloads (for example, Amazon RDS, Amazon Aurora, Route 53, CloudFront)
  - Identifying and implementing appropriate cross-Region backup and recovery strategies (for example, AWS Backup, Amazon S3, Systems Manager)
  - Configuring a load balancer to recover from backend failure
Domain 4: Monitoring and Logging - 15% of scored content
- 4.1: Configure the collection, aggregation, and storage of logs and metrics.
  - How to monitor applications and infrastructure
  - Amazon CloudWatch metrics (for example, namespaces, metrics, dimensions, and resolution)
  - Real-time log ingestion
  - Encryption options for at-rest and in-transit logs and metrics (for example, client-side and server-side, AWS Key Management Service [AWS KMS])
  - Security configurations (for example, IAM roles and permissions to allow for log collection)
  - Securely storing and managing logs
  - Creating CloudWatch metrics from log events by using metric filters
  - Creating CloudWatch metric streams (for example, Amazon S3 or Amazon Kinesis Data Firehose options)
  - Collecting custom metrics (for example, using the CloudWatch agent)
  - Managing log storage lifecycles (for example, S3 lifecycles, CloudWatch log group retention)
  - Processing log data by using CloudWatch log subscriptions (for example,Kinesis, Lambda, Amazon OpenSearch Service)
  - Searching log data by using filter and pattern syntax or CloudWatch Logs Insights
  - Configuring encryption of log data (for example, AWS KMS)
- 4.2: Audit, monitor, and analyze logs and metrics to detect issues.
  - Anomaly detection alarms (for example, CloudWatch anomaly detection)
  - Common CloudWatch metrics and logs (for example, CPU utilization with Amazon EC2, queue length with Amazon RDS, 5xx errors with an Application Load Balancer [ALB])
  - Amazon Inspector and common assessment templates
  - AWS Config rules
  - AWS CloudTrail log events
  - Building CloudWatch dashboards and Amazon QuickSight visualizations
  - Associating CloudWatch alarms with CloudWatch metrics (standard and custom)
  - Configuring AWS X-Ray for different services (for example, containers, API Gateway, Lambda)
  - Analyzing real-time log streams (for example, using Kinesis Data Streams)
  - Analyzing logs with AWS services (for example, Amazon Athena, CloudWatch Logs Insights)
- 4.3: Automate monitoring and event management of complex environments.
  - Event-driven, asynchronous design patterns (for example, S3 Event Notifications or Amazon EventBridge events to Amazon Simple Notification Service [Amazon SNS] or Lambda)
  - Capabilities of auto scaling for a variety of AWS services (for example, EC2 Auto Scaling groups, RDS storage auto scaling, DynamoDB, ECS capacity provider, EKS autoscalers)
  - Alert notification and action capabilities (for example, CloudWatch alarms to Amazon SNS, Lambda, EC2 automatic recovery)
  - Health check capabilities in AWS services (for example, ALB target groups, Route 53)
  - Configuring solutions for auto scaling (for example, DynamoDB, EC2 Auto
  - Scaling groups, RDS storage auto scaling, ECS capacity provider)
  - Creating CloudWatch custom metrics and metric filters, alarms, and notifications (for example, Amazon SNS, Lambda)
  - Configuring S3 events to process log files (for example, by using Lambda) and deliver log files to another destination (for example, OpenSearch Service, CloudWatch Logs)
  - Configuring EventBridge to send notifications based on a particular event pattern
  - Installing and configuring agents on EC2 instances (for example, AWS Systems Manager Agent [SSM Agent], CloudWatch agent)
  - Configuring AWS Config rules to remediate issues
  - Configuring health checks (for example, Route 53, ALB)
Domain 5: Incident and Event Response - 14% of scored content
- 5.1: Manage event sources to process, notify, and take action in response to events.
  - AWS services that generate, capture, and process events (for example, AWS Health, EventBridge, CloudTrail)
  - Event-driven architectures (for example, fan out, event streaming, queuing)
  - Integrating AWS event sources (for example, AWS Health, EventBridge, CloudTrail)
  - Building event processing workflows (for example, Amazon Simple Queue Service [Amazon SQS], Kinesis, Amazon SNS, Lambda, Step Functions)
- 5.2: Implement configuration changes in response to events.
  - Fleet management services (for example, Systems Manager, AWS Auto Scaling)
  - Configuration management services (for example, AWS Config)
  - Applying configuration changes to systems
  - Modifying infrastructure configurations in response to events
  - Remediating a non-desired system state
- 5.3: Troubleshoot system and application failures.
  - AWS metrics and logging services (for example, CloudWatch, X-Ray)
  - AWS service health services (for example, AWS Health, CloudWatch, Systems Manager OpsCenter)
  - Root cause analysis
Domain 6: Security and Compliance - 17% of scored content
- 6.1: Implement techniques for identity and access management at scale.
  - Appropriate usage of different IAM entities for human and machine access (for example, users, groups, roles, identity providers, identity-based policies, resource-based policies, session policies)
  - Identity federation techniques (for example, using IAM identity providers and AWS IAM Identity Center)
  - Permission management delegation by using IAM permissions boundaries
  - Organizational SCPs
  - Designing policies to enforce least privilege access
  - Implementing role-based and attribute-based access control patterns
  - Automating credential rotation for machine identities (for example, Secrets Manager)
  - Managing permissions to control access to human and machine identities (for example, enabling multi-factor authentication [MFA], AWS Security Token Service [AWS STS], IAM profiles)
- 6.2: Apply automation for security controls and data protection.
  - Network security components (for example, security groups, network ACLs, routing, AWS Network Firewall, AWS WAF, AWS Shield)
  - Certificates and public key infrastructure (PKI)
  - Data management (for example, data classification, encryption, key management, access controls)
  - Automating the application of security controls in multi-account and multi-Region environments (for example, Security Hub, Organizations, AWS Control Tower, Systems Manager)
  - Combining security controls to apply defense in depth (for example, AWS Certificate Manager [ACM], AWS WAF, AWS Config, AWS Config rules, Security Hub, GuardDuty, security groups, network ACLs, Amazon Detective, Network Firewall)
  - Automating the discovery of sensitive data at scale (for example, Amazon Macie)
  - Encrypting data in transit and data at rest (for example, AWS KMS, AWS CloudHSM, ACM)
- 6.3: Implement security monitoring and auditing solutions
  - Security auditing services and features (for example, CloudTrail, AWS Config, VPC Flow Logs, CloudFormation drift detection)
  - AWS services for identifying security vulnerabilities and events (for example, GuardDuty, Amazon Inspector, IAM Access Analyzer, AWS Config)
  - Common cloud security threats (for example, insecure web traffic, exposed AWS access keys, S3 buckets with public access enabled or encryption disabled)
  - Implementing robust security auditing
  - Configuring alerting based on unexpected or anomalous security events
  - Configuring service and application logging (for example, CloudTrail, CloudWatch Logs)
  - Analyzing logs, metrics, and security findings

Resources and Links

AWS DOP-C02: Domain 1

Notes about specific subtopics.

SDLC Automation

Task Statement 1.1: Implement CI/CD pipelines:

Continuous Integration and Continuous Delivery (CI/CD)
- Continuous Delivery stops short of automating Production deployments by requiring manual approval to do so.
Continuous Integration and Continuous Deployment (CI/CD)
- Continuous Deployment deploys code all the way to Production automatically.
AWS CodeCommit - Git, Code, Versioning
- Now deprecated but may still be tested in the DOP-CO2 exam.
- Offered some security advantages over GitHub, BitBucket, and GitLab:
  - Private Git Repositories within the same AWS VPC.
  - Can use AWS IAM Policies to manage AWS IAM Roles, SSH Keys, and AWS IAM Users.
  - AWS CLI can manage Git credentials (in addition to other AWS credentials).
  - AWS KMS can be used for encryption of files at rest or in transit.
- Drawback: minimal User Interface.
AWS CodePipeline - Continuous Delivery Service
- Define Pipelines to Build and Deploy Source Code from a variety of sources to defined Deployments.
- Events
  - Event-Driven Triggers defined through AWS EventBridge or AWS CodeStar Source Connection
- Webhooks
  - Scripted Webhook is defined and Deployed.
- Polling
  - CodePipeline polls changes in a GitHub Repository.
- Supports Continuous Delivery (which requires an Approver) as well as Continuous Deployment (which Deploys all the way to an Environment automatically).
  - Can define a Manual Approval through AWS IAM and AWS SNS.

Example CI/CD: GitHub -> Elastic Beanstalk -> CodePipeline

Node.js application Source Code is checked into a GitHub Repository.
The GitHub Repository and target Branch are associated with an AWS Elastic Beanstalk Environment and AWS Elastic Beanstalk Application.
An AWS CodePipeline Pipeline is defined to Trigger a Build and the Deploy all changes into the target AWS Elastic Beanstalk Environment on any Commit.

Also: https://github.com/Thoughtscript/aws_dop_c02/blob/main/08_templates/README.md#lab

Example CI/CD: Docker -> ECR -> ECS

Docker Image(s) is built locally.
Docker Image(s) is pushed to an AWS ECR Repository.
AWS ECS Fargate - Task Definition points to URL of the AWS ECR Repository to retrieve Docker Image.
Application Load Balancers, private Subnets, and/or public Subnets are defined and selected for deployment into.
The AWS ECS Fargate - Task Definition gets deployed as a Managed, Serverless, AWS ECS Task.

Example CI/CD: GitHub -> S3 -> CodeBuild -> Lambda

Python Lambda Handler is checked into a GitHub Repository with a buildspec.yml.
The GitHub Repository is associated with AWS CodeBuild.
The GitHub Repository is zipped and saved as an Artifact on AWS S3.
An AWS Lambda Function is defined and associated with the AWS S3 Artifact.
The AWS Lambda Function is deployed and made accessible through an AWS API Gateway.

Configuration

General Deployment Strategies

General Deployment Strategies that are often combined.

Strategy	Description
`In-Place`	Each Instance to be updated is stopped and the target version started.
`Blue/Green`	Shifting traffic between two versions (gradually or otherwise).
`Canary`	Target version is deployed for only a predetermined fraction of overall traffic.
`Linear`	Traffic to the target version is gradually increased in equal increments over a fixed interval of time.
`All-at-Once`	Traffic is immediately shifted to the target version.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.rolling-version-deploy.html#environments-cfg-rollingdeployments-namespace

https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/deployment-strategies.html

Elastic Beanstalk Deployment Settings

Setting	Description	General Deployment Strategy(ies)	Downtime, Deployment Time	Deployment To	Impact of Failed Deploy
All at Once	Deploy all Instances immediately and at once.	`All-at-Once`, `In-Place`	Downtime while new Instances Deployed, Fastest.	Existing Instances.	Signifcant, requires Manual Redeployment.
Rolling (with Additional Batch)	Deploy new Instances in successive batches.	`In-Place`	Zero, Second fastest.	New and Existing Instances.	Typically Minimal, Manual Redeploy (and removal) of Batch.
Immutable	New Instances are created and traffic is shifted to them as they pass health checks.	`Blue/Green`	Zero, Slowest.	New Instances.	Minimal, Terminate New Instances.
Traffic-Splitting	Traffic is split between deployments.	`Blue/Green`. Can be `Linear`, `Canary`.	Zero, Slowest.	New Instances.	Minimal, Swap DNS/URL Settings.

The above Deployment Strategies are often confused or conflated. For instance here, the AWS Documentation verbatim states: "The goal of blue/green deployments is to achieve immutable infrastructure" - they are distinct but are often used together.

AWS EC2 Deployment Settings

file_exists_behavior

Setting	Description
`DISALLOW`	Default. If existing files are present, the deployment fails.
`OVERWRITE`	Any prior files are overridden by the current deployment.
`RETAIN`	Prior files are kept and matching files in the current deployment are ignored.

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-files.html

Build Variables

AWS Service/Feature	Description	Use and Limits
AWS Systems Manager Parameter Store	Remove Application and Environment Secrets from plaintext and securely store.	Key-Value pairs encrypted through AWS KMS, for general use (not just Secrets), `4-8 KB` max size, can Notify about but not Rotate Secrets.
AWS AppConfig	Support for JSON Schema Validation, managing complex multi-valued Application configurations.	Integrates with AWS Systems Manager Parameter Store, S3.
AWS CloudFormation Cross-References	Reference other CloudFormation Templates, Stacks, and outputs.	AWS CloudFormation-specific.

Resources and Links

Code samples:

AWS DOP-C02: Domain 2

Notes about specific subtopics.

Configuration Management and IaC

Lambda SDK's

AWS Service	Description	Use and Limits
AWS Serverless Application Model (SAM)	Great for fastly building AWS Lambda Functions and testing locally.	Older, uses YAML Templates.
AWS Cloud Development Kit (CDK)	Considered more recent/advanced, uses Constructs.	High-level, support for many languages, support for Serverless/non-Serverless.

Automated Solutions

AWS Service	Description	Use and Limits	Agent-Based
AWS Systems Manager	Manage, Patch, and Access tools for (EC2) Instances.	Primarily used with EC2 for operational tasks.	Yes - SSM.
AWS Config	Audits and assesses AWS Resource configurations.	Compliance, conformance, stipulating Organization rules. Can now define AWS Config Managed Rules that audit running workloads.	No
AWS Service Catalog	Centrally Whitelist, Manage, and Approve IT Resources (Images, Software, Database, etc.).	Catalog-based, limited Constraint configuration (can restrict by User).	No.
AWS CloudFormation	Used to define Stacks and Templates (for complex deployments).	Primarily used for entire Infrastructure-(as-Code) tasks, can't restrict by User.	No.

Scheduling

AWS Service Entity	Description	Use and Limits
AWS EventBridge Scheduler	Scheduling for millions of Serverless Events.	Newer, integrates with AWS Lambda and other Services.
AWS EventBridge Rule	Can schedule Cron Jobs to trigger Events.	Older, less scalable, matches Event data.
AWS EC2 (Spot) Instances	Can define traditional Cron Jobs within an EC2 Instance.	Can be costly, limited to Container.

Terraform Samples

Resources and Links

Code samples:

AWS DOP-C02: Domain 3

Notes about specific subtopics.

Resilient Cloud Solutions

Resilient Databases

AWS Service	Description	Use and Limits
AWS Aurora Global Databases	Single, Multi-Region, AWS Aurora database deployment.	Global, multi-Region, globally distributed (not Read Replicas).
AWS DynamoDB Global Tables	Multiple AWS DynamoDB Tables that are replicated across many Regions but treated as a single database.	Global, multi-Region, globally distributed (inherently replicated).
AWS RDS Multi-AZ Cluster	Read Replicas deployed across multiple Availability Zones within the same Region.	Single Region, Semisynchronous, minimum of `3` AZ's.

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-databases

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-certified-cloud-practitioner

Replication

AWS Service	Description	Use and Limits
AWS Aurora Replication	Single Region, up to `15` Replicas.	Read Replication and Query offloading.
AWS DynamoDB Replication	Through AWS DynamoDB Global Tables.	Global, multi-Region, globally distributed (inherently replicated).
AWS RDS Multi-AZ Replication	Replicas deployed across multiple Availability Zones within the same Region.	Single Region, Read Replicas. AWS RDS Multi-AZ Cluster.
AWS RDS Cross-Region Replication	Replicas deployed across multiple Regions.	Multi-Region, Read Replicas.

AWS DynamoDB Configurations

Entity	Description	Use and Limits
Global Secondary Index (GSI)	Second index on base table.	New Partition and Sort Keys, no size limits, scans full table.
Local Secondary Index (LSI)	Second index on base table.	Same Partition Key, different Sort Key, `10 GB` size limit, scans Partition. Must be created when the base table is.
Partition	Specified up by Partition Keys. Divides up AWS DynamoDB Tables (of which there are often 1 per Database).	Segments or divides data for querying, organization.
Primary Key	Composed of Sort Key and Partition Key.	Global vs Local Secondary Indicies, Partition Key divides Table into Partitions.
Projected Attribute	Attributes that are "copied" (Projected) into an Index.	Can be all Attributes (entity). Primary and Index Keys are automatically Projected.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-indexes-general.html

Static Asset Resiliency

AWS Service	Description	Use and Limits
AWS S3 Cross Region Replication	Copies data from S3 Buckets across multiple Regions (quickly).	Region specific replication, good for backup/recovery.
AWS CloudFront Distribution	Low latency, distribution by edge location.	Eventually consistent, truly Global, good for serving website content.

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-s3

AWS S3 Configuration and Limitations

Summary of AWS S3 Cross Region Replication configuration steps:

Permissions are handled through a created IAM Role,
Bucket Replication from source to destination is enabled.
Versioning is enabled on both source and destination.

AWS S3 doesn't support retries (of any sort) natively.
- Instead one must define an Lambda Function to perform S3 retries.

ALB's and VPC's

Terraform Samples

Resources and Links

Code samples:

AWS DOP-C02: Domain 4

Notes about specific subtopics.

Monitoring and Logging

Logging

AWS Service	Description	Use and Limits
AWS CloudWatch	Used with Log Groups, Filters, Alarms, and Metrics to log the performance and operational health of Resources.	Logs performance and operational metrics, health but not internal use (by staff/devs).
AWS CloudTrail	Trace HTTP Requests, audit API calls.	Logs User interactions but not operational ones.

Agents

AWS Service	Entity	Description	Use and Limits	Logging
AWS Systems Manager	Systems Manager Agent (SSM)	AWS Systems Manager Agent (primarily) installed on EC2 Instances.	Used to Update, Patch, Configure, and Manage resources.	Logs can be sent to AWS CloudWatch.
AWS CloudWatch	AWS CloudWatch Agent	AWS CloudWatch Agent primarily used to collect Memory, CPU telemetry on EC2 and ECS Instances.	Collects Memory and CPU Telemetry.	Inherently sent to AWS CloudWatch.
AWS X-Ray	AWS X-Ray Daemon	Default port `2000`, UDP-based tool used to Trace, troubleshoot, and analyze HTTP Request traffic.	Distributed, deployed through Docker Image. Deployed into a AWS ECS Cluster alongside other Containers.	Used for traffic, UDP, and trace logging. Integrates with AWS CloudWatch.

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-monitoring

Terraform Samples

Resources and Links

Code samples:

AWS DOP-C02: Domain 5

Notes about specific subtopics.

Incident and Event Response

AWS CloudWatch Entities

AWS CloudWatch Entity	Description	Use and Limits
Custom Metric	Defined for use within CloudWatch Alarms, Queries, and Metric Filters to monitor events.	Metric are Dimensioned and some operations are reserved for certain data types.
Aggregate Function	Inbuilt CloudWatch Insights query functions (`count()`) akin to those found in SQL.	Can be used in Queries and Metric Filters manually through CloudWatch Insights.
Metric Filter	Used to filter and query logs and log data. Used to define CloudWatch Alarms, populate statistics, and graphs.	Used in the CloudWatch Insights UI/UX console and when defining CloudWatch Alarms.

AWS CloudWatch SQL Reference

Manage Events

AWS Service	Description	Use and Limits
Apache Kafka	Open-source Event-based Message Broker using KRaft/ZooKeeper to coordinate.	Supports many Data Formats (JSON), unlimited Retention Period, not-AWS-bound, more configuration options, used with AWS MSK.
AWS SQS	AWS-bound Event-based Messaging Queue.	Text, max `14 Day` Retention Period, DLQ, and Retry Queues built-in.
AWS Kinesis	Collect, process, and analyze real-time streaming data.	Typically used for complex and/or vast data streams.

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-messaging

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-other-data-services

Notifications

AWS Service	Description	Use and Limits
AWS SES	Primarily intended for Email mass-marketing.	Bulk Email.
AWS SNS	Notifications can be connected to a variety of Endpoints.	SMS, Email, Pager Duty Integration, etc.

Terraform Samples

Resources and Links

Code samples:

AWS DOP-C02: Domain 6

Notes about specific subtopics.

Security and Compliance

AWS IAM

Management and Governance

AWS Service Entity	Description	Use and Limits	Integrations
AWS Organization Service Control Policies	Used to set AWS IAM permission guardrails.	They do not grant permissions. They limit what IAM permissions or actions can be taken.	AWS IAM, AWS Organizations
AWS Config Organizational Rules	Used to manage AWS Config Rules across all Organizations.	Create a common set of AWS Config Rules across all Accounts.	AWS IAM Accounts, AWS Config, AWS Organizations
AWS Control Tower	Orchestrates Services across multiple AWS Accounts and Organizational Units (OU's).	Limited to `5` Service Control Policies per OU. Primarily used for automating guardrails across Accounts/OU's.	AWS Organizations, AWS IAM Accounts, AWS Service Catalog

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html

https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

Secrets Management

AWS Service	Description	Use and Limits
AWS Systems Manager Parameter Store	Remove Application and Environment Secrets from plaintext and securely store.	Key-Value pairs encrypted through AWS KMS, for general use (not just Secrets), `4-8 KB` max size, can Notify about but not Rotate Secrets.
AWS Secrets Manager	Store, Rotate Database and API Credentials.	Can Rotate Secrets automatically, larger max size `64 KB`.

https://tutorialsdojo.com/aws-secrets-manager-vs-systems-manager-parameter-store/

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-security

Automated Detection

AWS Service	Description	Use and Limits
AWS Macie	Uses Machine Learning to scan AWS S3 Resources for malicious activity.	AWS S3 (only)
AWS Guard Duty	Detects malicious activity.	Malicious activity and workload detection across AWS Accounts.
AWS Inspector	Automated security inspection - reviews services and Resources for compliance/security conformance.	AWS EC2 (and now AWS Lambda) security compliance and known security vulnerability assessments. Cannot scan AMI's.

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-saa-c03-security

https://render-static-fs.onrender.com/study_guide_notes_2023.html#aws-certified-cloud-practitioner

Environment Management

AWS Service	Description	Use and Limits
AWS Trusted Advisor	Best Practice recommendation for AWS Environments.	Guidance and recommendations. Can notify weekly.
AWS Config	Audits and assesses AWS Resource configurations.	Compliance, conformance, stipulating Organization rules. Can now define AWS Config Managed Rules that audit running workloads. Remediation rules use AWS Systems Manager Automation Documents not AWS Lambda or AWS Config. Can scan AMI's.

See: AWS CCP notes on Environment Management.

Compliance: Drift Detection

AWS Service Entity	Description	Use and Limits
AWS CloudFormation Drift Detection	Capability of AWS CloudFormation.	Only supports certain Deployment Statuses.
AWS Config Config Recorder	Is run to track changes and deviations from some specified target Configuration.	Must be run through AWS Config, can only detect Configurations, is recorded and stored.

Terraform Samples

Resources and Links

Code samples:

AWS SAP-C02: Overview

Notes I took before taking the AWS Certified Solutions Architect - Professional (SAP-C02) Exam.

Test Topics

https://docs.aws.amazon.com/pdfs/aws-certification/latest/examguides/aws-certification-exam-guides.pdf#solutions-architect-professional-02

Domain 1: Design Solutions for Organizational Complexity - 26% of scored content
- Task 1.1: Architect network connectivity strategies
  - Knowledge of:
    - AWS Global Infrastructure
    - AWS networking concepts (for example, Amazon Virtual Private Cloud (Amazon VPC), AWS Direct Connect, AWS VPN, transitive routing, AWS container services)
    - Hybrid DNS concepts (for example, Amazon Route 53 Resolver, on-premises DNS integration)
    - Network segmentation (for example, subnetting, IP addressing, connectivity among VPCs)
    - Network traffic monitoring
  - Skills in:
    - Evaluating connectivity options for multiple VPCs
    - Evaluating connectivity options for on-premises, co-location, and cloud integration
    - Selecting AWS Regions and Availability Zones based on network and latency requirements
    - Troubleshooting traffic flows by using AWS tools
    - Using service endpoints for service integrations
- Task 1.2: Prescribe security controls
  - Knowledge of:
    - AWS Identity and Access Management (IAM) and AWS IAM Identity Center
    - Route tables, security groups, and network ACLs
    - Encryption keys and certificate management - for example, AWS Key Management Service (AWS KMS), AWS Certificate Manager (ACM)
    - AWS security, identity, and compliance tools - for example, AWS CloudTrail, AWS Identity and Access Management Access Analyzer, AWS Security Hub, Amazon Inspector
  - Skills in:
    - Evaluating cross-account access management
    - Integrating with third-party identity providers
    - Deploying encryption strategies for data at rest and data in transit
    - Developing a strategy for centralized security event notifications and auditing
- Task 1.3: Design reliable and resilient architectures
  - Knowledge of:
    - Recovery time objectives (RTOs) and recovery point objectives (RPOs)
    - Disaster recovery strategies (for example, using AWS Elastic Disaster Recovery, pilot light, warm standby, and multi-site)
    - Data backup and restoration
  - Skills in:
    - Designing disaster recovery solutions based on RTO and RPO requirements
    - Implementing architectures to automatically recover from failure
    - Developing the optimal architecture by considering scale-up and scale-out options
    - Designing an effective backup and restoration strategy
- Task 1.4: Design a multi-account AWS environment
  - Knowledge of:
    - AWS Organizations and AWS Control Tower
    - Multi-account event notifications
    - AWS resource sharing across environments
  - Skills in:
    - Evaluating the most appropriate account structure for organizational requirements
    - Recommending a strategy for central logging and event notifications
    - Developing a multi-account governance model
- Task 1.5: Determine cost optimization and visibility strategies
  - Knowledge of:
    - AWS cost and usage monitoring tools - for example, AWS Trusted Advisor, AWS Pricing Calculator, AWS Cost Explorer, AWS Budgets
    - AWS purchasing options - for example, Reserved Instances, Savings Plans, Spot Instances
    - AWS rightsizing visibility tools - for example, AWS Compute Optimizer, Amazon Simple Storage Service (Amazon S3) Storage Lens
  - Skills in:
    - Monitoring cost and usage with AWS tools
    - Developing an effective tagging strategy that maps costs to business units
    - Understanding how purchasing options affect cost and performance
Content Domain 2: Design for New Solutions - 29% of scored content
- Task 2.1: Design a deployment strategy to meet business requirements
  - Knowledge of:
    - Infrastructure as code (IaC) (for example, AWS CloudFormation)
    - Continuous integration and continuous delivery (CI/CD)
    - Change management processes
    - Configuration management tools (for example, AWS Systems Manager)
  - Skills in:
    - Determining an application or upgrade path for new services and features
    - Selecting services to develop deployment strategies and implement appropriate rollback mechanisms
    - Adopting managed services as needed to reduce infrastructure provisioning and patching overhead
    - Making advanced technologies accessible by delegating complex development and deployment tasks to AWS
- Task 2.2: Design a solution to ensure business continuity
  - Knowledge of:
    - AWS Global Infrastructure
    - AWS networking concepts (for example, Amazon Route 53, routing methods)
    - RTOs and RPOs
    - Disaster recovery scenarios (for example, backup and restore, pilot light, warm standby, multisite)
    - Disaster recovery solutions on AWS
  - Skills in:
    - Configuring disaster recovery solutions
    - Configuring data and database replication
    - Performing disaster recovery testing
    - Architecting a backup solution that is automated, is cost-effective, and supports business continuity across multiple Availability Zones or AWS Regions
    - Designing an architecture that provides application and infrastructure availability in the event of a disruption
    - Using processes and components for centralized monitoring to proactively recover from system failures
- Task 2.3: Determine security controls based on requirements
  - Knowledge of:
    - IAM
    - Route tables, security groups, and network ACLs
    - Encryption options for data at rest and data in transit
    - AWS service endpoints
    - Credential management services
    - AWS managed security services (for example, AWS Shield, AWS WAF, Amazon GuardDuty, AWS Security Hub)
  - Skills in:
    - Specifying IAM users and IAM roles that adhere to the principle of least privilege access
    - Specifying inbound and outbound network flows by using security group rules and network ACL rules
    - Developing attack mitigation strategies for large-scale web applications
    - Developing encryption strategies for data at rest and data in transit
    - Specifying service endpoints for service integrations
    - Developing strategies for patch management to remain compliant with organizational standards
- Task 2.4: Design a strategy to meet reliability requirements
  - Knowledge of:
    - AWS Global Infrastructure
    - AWS storage services and replication strategies (for example Amazon S3, Amazon RDS, Amazon ElastiCache)
    - Multi-AZ and multi-Region architectures
    - Auto scaling policies and events
    - Application integration (for example, Amazon SNS, Amazon SQS, AWS Step Functions)
    - Service quotas and limits
  - Skills in:
    - Designing highly available application environments based on business requirements
    - Using advanced techniques to design for failure and ensure seamless system recoverability
    - Implementing loosely coupled dependencies
    - Operating and maintaining high-availability architectures (for example, application failovers, database failovers)
    - Using AWS managed services for high availability
    - Implementing DNS routing policies (for example, Route 53 latency-based routing, geolocation routing, simple routing)
- Task 2.5: Design a solution to meet performance objectives
  - Knowledge of:
    - Performance monitoring technologies
    - Storage options on AWS
    - Instance families and use cases
    - Purpose-built databases
  - Skills in:
    - Designing large-scale application architectures for a variety of access patterns
    - Designing an elastic architecture based on business objectives
    - Applying design patterns to meet performance objectives with caching, buffering, and replicas
    - Developing a process methodology for selecting purpose-built services for required tasks
    - Designing a rightsizing strategy
- Task 2.6: Determine a cost optimization strategy to meet solution goals and objectives
  - Knowledge of:
    - AWS cost and usage monitoring tools (for example, AWS Cost Explorer, AWS Trusted Advisor, AWS Pricing Calculator)
    - Pricing models (for example, Reserved Instances, AWS Savings Plans)
    - Storage tiering
    - Data transfer costs
    - AWS managed service offerings
  - Skills in:
    - Identifying opportunities to select and rightsize infrastructure for cost-effective resources
    - Identifying appropriate pricing models
    - Performing data transfer modeling and selecting services to reduce data transfer costs
    - Developing a strategy and implementing controls for expenditure and usage awareness
Content Domain 3: Continuous Improvement for Existing Solutions - 25% of scored content
- Task 3.1: Determine a strategy to improve overall operational excellence
  - Knowledge of:
    - Alerting and automatic remediation strategies
    - Disaster recovery planning
    - Monitoring and logging solutions (for example, Amazon CloudWatch)
    - CI/CD pipelines and deployment strategies (for example, blue/green, all-at-once, rolling)
    - Configuration management tools (for example, AWS Systems Manager)
  - Skills in:
    - Determining the most appropriate logging and monitoring strategy
    - Evaluating current deployment processes for improvement opportunities
    - Prioritizing opportunities for automation within a solution stack
    - Recommending the appropriate AWS solution to enable configuration management automation
    - Engineering failure scenario activities to support and exercise an understanding of recovery actions
- Task 3.2: Determine a strategy to improve security
  - Knowledge of:
    - Data retention, data sensitivity, and data regulatory requirements
    - Automated monitoring and remediation strategies (for example, AWS Config rules)
    - Secrets management (for example, Systems Manager, AWS Secrets Manager)
    - Principle of least privilege access
    - Security-specific AWS solutions
    - Patching practices
    - Backup practices and methods
  - Skills in:
    - Evaluating a strategy for the secure management of secrets and credentials
    - Auditing an environment for least privilege access
    - Reviewing implemented solutions to ensure security at every layer
    - Reviewing comprehensive traceability of users and services
    - Prioritizing automated responses to the detection of vulnerabilities
    - Designing and implementing a patch and update process
    - Designing and implementing a backup process
    - Employing remediation techniques
- Task 3.3: Determine a strategy to improve performance
  - Knowledge of:
    - High-performing systems architectures (for example, auto scaling, instance fleets, placement groups)
    - Global service offerings (for example, AWS Global Accelerator, Amazon CloudFront, edge computing services)
    - Monitoring tool sets and services (for example, CloudWatch)
    - Service level agreements (SLAs) and key performance indicators (KPIs)
  - Skills in:
    - Translating business requirements to measurable metrics
    - Testing potential remediation solutions and making recommendations
    - Proposing opportunities for the adoption of new technologies and managed services
    - Assessing solutions and applying rightsizing based on requirements
    - Identifying and examining performance bottlenecks
- Task 3.4: Determine a strategy to improve reliability
  - Knowledge of:
    - AWS Global Infrastructure
    - Data replication methods
    - Scaling methodologies (for example, load balancing, auto scaling)
    - High availability and resiliency
    - Disaster recovery methods and tools
    - Service quotas and limits
  - Skills in:
    - Understanding application growth and usage trends
    - Evaluating existing architecture to determine areas that are not sufficiently reliable
    - Remediating single points of failure
    - Enabling data replication, self-healing, and elastic features and services
- Task 3.5: Identify opportunities for cost optimizations
  - Knowledge of:
    - Cost-conscious architecture choices (for example, using Spot Instances, scaling policies, and rightsizing resources)
    - Price model adoptions (for example, Reserved Instances, AWS Savings Plans)
    - Networking and data transfer costs
    - Cost management, alerting, and reporting
  - Skills in:
    - Analyzing usage reports to identify underutilized and overutilized resources
    - Using AWS solutions to identify unused resources
    - Designing billing alarms based on expected usage patterns
    - Investigating AWS Cost and Usage Reports at a granular level
    - Using tagging for cost allocation and reporting
Domain 4: Accelerate Workload Migration and Modernation - 20% of scored content
- Task 4.1: Select existing workloads and processes for potential migration
  - Knowledge of:
    - Migration assessment and tracking tools (for example, AWS Migration Hub)
    - Portfolio assessment
    - Asset planning
    - Prioritization and migration of workloads (for example, wave planning)
  - Skills in:
    - Completing an application migration assessment
    - Evaluating applications according to the seven common migration strategies (7Rs)
    - Evaluating total cost of ownership (TCO)
- Task 4.2: Determine the optimal migration approach for existing workloads
  - Knowledge of:
    - Data migration options and tools (for example, AWS DataSync, AWS Transfer Family, AWS Snow Family, Amazon S3 Transfer Acceleration)
    - Application migration tools (for example, AWS Application Discovery Service, AWS Application Migration Service)
    - AWS networking services and DNS (for example, AWS Direct Connect, AWS Site-to-Site VPN, Amazon Route 53)
    - Identity services (for example, AWS IAM Identity Center, AWS Directory Service)
    - Database migration tools (for example, AWS DMS, AWS SCT)
    - Governance tools (for example, AWS Control Tower, AWS Organizations)
  - Skills in:
    - Selecting the appropriate database transfer mechanism
    - Selecting the appropriate application transfer mechanism
    - Selecting the appropriate data transfer service and migration strategy
    - Applying the appropriate security methods to migration tools
    - Selecting the appropriate governance model
- Task 4.3: Determine a new architecture for existing workloads
  - Knowledge of:
    - Compute services (for example, Amazon EC2, AWS Elastic Beanstalk)
    - Containers (for example, Amazon ECS, Amazon EKS, AWS Fargate, Amazon ECR)
    - AWS storage services (for example, Amazon EBS, Amazon EFS, Amazon FSx, Amazon S3, AWS Storage Gateway Volume Gateway)
    - Databases (for example, Amazon DynamoDB, Amazon OpenSearch Service, Amazon RDS, selfmanaged databases on Amazon EC2)
  - Skills in:
    - Selecting the appropriate compute platform
    - Selecting the appropriate container hosting platform
    - Selecting the appropriate storage service
    - Selecting the appropriate database platform
- Task 4.4: Determine opportunities for modernization and enhancements
  - Knowledge of:
    - Serverless compute offerings (for example, AWS Lambda)
    - Containers (for example, Amazon ECS, Amazon EKS, Fargate)
    - AWS storage services (for example, Amazon S3, Amazon EFS)
    - Purpose-built databases (for example, DynamoDB, Amazon Aurora Serverless, Amazon ElastiCache)
    - Integration services (for example, Amazon SQS, Amazon SNS, Amazon EventBridge, AWS Step Functions)
  - Skills in:
    - Identifying opportunities to decouple application components
    - Identifying opportunities for serverless solutions
    - Selecting the appropriate service for containers
    - Identifying opportunities for purpose-built databases
    - Selecting the appropriate application integration service

Resources and Links

AWS SAP-C02: Domain 1

Design Solutions for Organizational Complexity. (Notes about specific subtopics.)

Task 1.1: Architect network connectivity strategies

The prior: AWS SAA-C03 Networking and AWS: CCP Networking notes have been updated to include new Services, Features, and Functionalities below.

Gateways

Updated.

AWS Service	Entity	OSI Layer	Description	Fully Managed	Features and Limits	Introduced
AWS REST API Gateway	REST API Gateway	7 (Application)	Allows access to API endpoints, methods.	Yes	Supports caching, documentation, AWS Lambda.	2015
AWS VPC	Internet Gateway	3 (Network)	VPC to (Public) Internet, bidirectional.	Yes	Full VPC Subnet to (Public) Internet access, resilience, `IPv6`.	2009
AWS VPC	Egress-Only Internet Gateway	3 (Network)	VPC to (Public) Internet, unidirectional.	Yes	Private Subnet to (Public) Internet access, `IPv6`.	2009
AWS VPC	NAT Gateway	3 (Network)	Private to (Public) Internet, egress.	Yes	Private Subnet to (Public) Internet access, `IPv4`, network translation.	2015
Storage Gateway, AWS S3, AWS FSx	Storage Gateway	7 (Application)	Connects on-prem resources to AWS Cloud Services primarily to transfer files, data.	No	Kinds: `S3 File`, `FSx File`, `Volume`, and `Tape` Gateways. Optimizations for multi-part uploads, latency, etc.	2012
AWS Direct Connect	Direct Connect Gateway (DXGW)	3 (Network)	Connects on-prem Networks/VPNs to AWS VPCs and Cross-Regions AWS VPCs to each other.	No	Connects VPNs to AWS VPCs and Cross-Regions AWS VPCs. Combine with VGW for high-bandwidth, multi-Region, connectivity.	2017
AWS Direct Connect	Virtual Private Gateway (VGW)	3 (Network)	Connects one AWS VPC to on-prem Networks/VPNs.	No	Combine with DXGW for high-bandwidth, multi-Region, connectivity.	2009
AWS VPN	Customer Gateway (Site-to-Site VPN)	3 (Network), 4 (Transport)	A Physical Device installed to further secure on-prem Networks/VPNs to AWS VPC connections.	No	Supports advanced security and VPN Tunneling.	2009
AWS VPC	Transit Gateway	3 (Network)	Allows multiple on-prem Networks/VPNs and multiple AWS VPCs to connect Cross-Regionally.	No	Attaches DXGWs, AWS VPCs, on-prem Networks/VPNs, and more to encrypt all traffic between connected Networks.	2009

Virtual Interfaces (VIF)

Virtual Interfaces (VIF) are attached to AWS VPCs in two primary ways:

Private VIF:
- A VIF should be used to access an Amazon VPC using Private IP Addresses.
- Typically associated with Gateways (to connect an otherwise Private VPC and/or Resource with another).
Public VIF:
- A VIF can access all AWS public services using Public IP Addresses.
- Used less in tandem with Gateways (since they're already used in Public VPCs).

And Transit VIF:

A Private VIF specific to Transit Gateway and/or Direct Connect Gateways connectivity and enablement.

https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

Network Connections

First Network Group	Connection	Second Network Group	Cross Region	IPSec	Relationship	Summary	Documentation
Many AWS VPCs (same Region) through a Virtual Private Gateway (and AWS Site-to-Site VPN)	(Public) Internet	On-Premises VPN through an AWS Customer Gateway	No	On-Premises VPN	One-to-One	AWS VPC to On-Premises VPN over the (Public) Internet	Link
Many AWS VPCs (same Region) through an AWS Transit Gateway (and AWS Site-to-Site VPN)	(Public) Internet	On-Premises VPN through an AWS Customer Gateway	No	On-Premises VPN	Many-to-One	Multiple AWS VPCs to On-Premises VPN over the (Public) Internet	Link
Many AWS VPCs (same Region) through a Virtual Private Gateway (configured with a Virtual Interface)	AWS Direct Connect	On-Premises VPN through an AWS Customer Gateway	No	N/A	One-to-One	AWS VPC to On-Premises VPN over AWS Direct Connect	Link
Cross Region AWS VPCs through an AWS Direct Connect Gateway (configured with a Virtual Interface, AWS Site-to-Site VPN)	AWS Direct Connect	On-Premises VPN through an AWS Customer Gateway	Yes	Cross Region AWS VPCs	Many-to-One	Cross Region AWS VPCs to On-Premises VPN over AWS Direct Connect	Link
AWS VPC (configured with a Virtual Interface, AWS Site-to-Site VPN)	AWS Direct Connect	On-Premises VPN through an AWS Customer Gateway	No	AWS VPC	One-to-One	AWS VPC to On-Premises VPN over AWS Direct Connect	Link
AWS VPC through a Virtual Private Gateway	(Public) Internet	Many On-Premises VPNs through AWS Customer Gateways	No	On-Premises VPNs	One-to-Many	AWS VPC to On-Premises VPNs over (Public) Internet	Link
AWS VPC through an Internet Gateway	(Public) Internet	On-Premises VPN through AWS Customer Gateway	No	N/A	One-to-One	AWS VPC to On-Premises VPN over (Public) Internet	Link
AWS VPC through VPC Peering	AWS (Internet Backbone)	AWS VPC through VPC Peering	Yes	N/A	One-to-One, Many-to-Many, etc.	(Cross Region) AWS VPC to an AWS VPC over AWS (Internet Backbone)	Link
Many AWS VPCs (same Region) through an AWS Transit Gateway	AWS (Internet Backbone)	AWS VPC through an AWS Transit Gateway	Yes	N/A	Many-to-Many-to-One	Many AWS VPCs (same Region) to an AWS VPC (different Region) over AWS (Internet Backbone)	Link
AWS VPC through an Internet Gateway	AWS Software VPN	AWS VPC (different Region) through an Internet Gateway	Yes	N/A	One-to-One	AWS VPC to an AWS VPC (different Region) over AWS Software VPN	Link
AWS VPC through an AWS Virtual Private Gateway	AWS Software VPN	AWS VPC (different Region) through an Internet Gateway	Yes	AWS VPC	One-to-One	AWS VPC to an AWS VPC (different Region) over AWS Software VPN	Link

General Takeaways:

Use a Virtual Private Gateway for enhanced security.
AWS Direct Connect typically requires a configured Virtual Interface (with or without a Virtual Private Gateway attachment).
On-Premises VPN typically requires an AWS Customer Gateway.
AWS Transit Gateways will generally be used in scenarios involving Many-to-One VPN, VPC, or Network mappings (althought not always).
- Hub-and-Spoke pattern typically implies an AWS Transit Gateways which allows a multitude of VPC's and Direct Connections to be managed together.
Failover Features typically require both an AWS Direct Connection and a VPN.
For AWS RAM Resource sharing scenarios:
- The default set up involves Private VPC's in each AWS Account being Peered the main shared services VPC.

Review:

Route 53 Topics

AWS Route 53 Route Resolver: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

Task 1.2: Prescribe security controls

Service Control Policy

Service Control Policy notes:

See AWS DOP SCP notes.
Remember, an explicit Grant must: (a) be given in the IAM Role or Policy and (b) not contradict the SCP.
Generally, discouraged from attaching to the OU Root.

STS Federation SAML vs OIDC vs LDAP

Identity Protocol	Services	Customization	Use Scenario
SAML	AWS Identity Center, AWS Cognito	Identity Broker	STS Federated Access
OIDC	AWS Cognito	Identity Providers	Identity Pools, Social Login, Federated/Non-Federated Access
OIDC	AWS IAM	Identity Provider	Resource Workloads
LDAP	AWS Active Directory, AWS Directory Service	AD Connector	On-Premise Access, AD Federated Access

https://docs.aws.amazon.com/managedservices/latest/onboardingguide/federate-dir-with-sent-iam-roles.html

Task 1.4: Design a multi-account AWS environment

AWS IAM Identity Center

Excellent for centralizing IAM Roles and access across many AWS Accounts, AWS Organizations, and AWS OU's.
Used with SCIM v2.0 (for federated, SSO, cross-domain access), ABAC, and SAML 2.0.

Cross Account Access

https://aws.amazon.com/blogs/security/four-ways-to-grant-cross-account-access-in-aws/

AWS Resource Access Manager (AWS RAM)

Allow sharing of resources within same OU.
Requires OU Account to enable Account sharing.
Can share external to the OU as well.

STS Assume Role

Trust Policy through STS for granting Access to Users or for Resources to entities (Users, Resources, Organizations, Accounts, etc.) outside the OU.

Resources and Links

AWS SAP-C02: Domain 2

Design for New Solutions. (Notes about specific subtopics.)

Task 2.1: Design a deployment strategy to meet business requirements

Remember that CloudFormation StackSets don't just combine CloudFormation Templates they also allow these to be shared with multiple AWS Regions and AWS Accounts.

Task 2.4: Design a strategy to meet reliability requirements

AWS RDS Multi-AZ Failover

Remember that AWS will automatically handle a Failover for an AWs RDS Cluster in Multi-AZ configuration:

AWS will automatically promote an available Replica to become Master.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts-failover.html#multi-az-db-clusters-concepts-failover-automatic

AWS S3 Versioning Review

A Version ID of null is assigned to AWS S3 Objects before AWS S3 Versioning is enabled.
After AWS S3 Versioning is enabled within a Bucket, AWS S3 Objects within the Bucket will be assigned a Version ID.
Changes thereafter will result in newly generated Version IDs.

Takeaways:

A Version ID can be null.
Version IDs does not need to sequential (e.g. - unlike SQL auto-increment).

https://docs.aws.amazon.com/AmazonS3/latest/userguide/RetrievingObjectVersions.html

Task 2.6: Determine a cost optimization strategy to meet solution goals and objectives

Helpful Settings or Features

AWS Service	Setting or Feature	Description	Use and Limits
AWS CloudFront	Signed URL	Generated to securely enable User access of S3 Files.	Expiry defined, validates User, verifies integrity of URL.
AWS DynamoDB	Attribute TTL	Attributes can be configured with a TTL.	Automatically delete the Attribute or data without a Query, Cascade. Extremely cost-effective for removing data at some specific time.
AWS S3	Requester Pays (`x-amz-request-payer: requester`)	Header configured to indicate that outgoing content is paid by the Requester not the Content Owner.	Specifies who pays for outgoing I/O from S3 Bucket.
AWS HSM	SSL Hardware Acceleration	Can now offload SSL handshake, verification, to externalized hardware through AWS HSM.	Uses AWS ACM and AWS HSM, calculation of Derived Secret from Premaster is offloaded to HSM instead of occuring on Server.
AWS Pinpoint	SMS Messaging	Compliments AWS SNS (Notification Integrations) and AWS SES (Bulk Email Send).	2-Way as opoosed to AWS SNS to AWS SES.
AWS SNS	Mobile Push for Google Cloud Messaging for Android (GCM), Apple Push Notification Service (APNS)	AWS SNS can push Notifications directly to Mobile through GCM and APNS.	An external Service or Tool isn't needed.
AWS Step Functions	Error and Retry Handling	Can define Errors to handle in `Catcher` and/or `Retry` blocks (for Error status types: `States.ALL`, `States.Runtime`, etc.).	In-built support within Step Functions for configuring Retry and Error Handling.
AWS OpenSearch Service	UltraWarm Nodes	Less costly option to immutably cache some data on AWS S3.	Are capable of READ-Only operations. Immutable data only.
AWS Connect	Contact Center	Used to create an omnichannel contact center.	Used with A.I. to automate inbound phone calls, customer support, etc.

Resources and Links

AWS SAP-C02: Domain 3

Continuous Improvement for Existing Solutions. (Notes about specific subtopics.)

Task 3.4: Determine a strategy to improve reliability

Chaos and Acceptance Testing Tools

AWS Service	Entity	Description	Use and Limits
AWS Fault Injection Simulator	Experiment Template	Chaos and Fault Testing.	Chaos Testing, deliberately injecting faults, causes disruptions.
AWS Cloud Watch	Sythetics Canaries	Test User Stories and flows.	Find and detect disruptions, identify errors, test complex flows.

New Services

AWS Service	Description	Use and Limits
AWS Resilience Hub	Define Resilience Policies for HA, RTO, RPO. ComplimentsAWS Security Hub (Security), AWS Trusted Advisor (Best Practices).	Details bubble up to Dashboard/Control Plane like AWS Security Hub.

Load Balancers

Review the AWS SAA - Elastic Load Balancer notes.

Sticky Sessions

AWS Service or Feature	Description	Use and Limits
AWS ALB Sticky Session	Enabled as Setting on ALB, Target Group and Container associations.	Requires Cookies or Target Groups, Container and Region dependent.
AWS Redis Externalized Cluster	Cluster Deployed to externalize all Session-data or State.	Not Region dependent, Cached, not dependent on Container or app, more expensive and complicated.
AWS Cognito OAuth 2.0 Claims	Embed Session Data into an OAuth 2.0 Bearer Token as an OAuth 2.0 Claim.	Uses a Lambda Function, doesn't increase Bearer Token size, Cognito SDK decrypts and validates Token and introspects Claim Fields.

Task 3.5: Identify opportunities for cost optimizations

Prior AWS SAA EC2 notes are expanded below.

EC2 Container Pricing

Summary, in ascending order by estimated overall cost (given certain contextual or situational factors).

AWS Service	Feature	Description	Use and Limits
AWS EC2 (AWS ECS)	Spot Pricing	Up to `90%` discount over On-Demand Pricing.	Limited to unpredictable and momentary unused EC2 capacity, interruption-prone, no gaurantee that Instances will be available.
AWS EC2 (AWS ECS)	Reserved Pricing	Up to `72%` discount over On-Demand Pricing.	Purchase EC2 capacity up-front, in-advance. Requires more planning.
AWS EC2 (AWS ECS)	On-Demand Pricing	Most expensive option of three.	Purchase guaranteed EC2 Instances by the `hour` or `second`.

Resources and Links

AWS SAP-C02: Domain 4

Accelerate Workload Migration and Modernation. (Notes about specific subtopics.)

Task 4.2: Determine the optimal migration approach for existing workloads

Migration Services

AWS Service	Description	Use and Limits
AWS Schema Conversion Tool (SCT)	Converts existing Schemas (DTL) into target Schemas.	Supports ETL, heterogeneous database migrations, code migrations (think JDBC). When in doubt Aurora and Redshift (warehouse) are the targets.
AWS Database Migration Service (DMS)	Moves Data (DTD) from one database to another.	Homogeneous database migrations, doesn't convert code.
AWS Transform	AI tools to help predict Total Cost of Ownership.	Accelerates migration and identifies which tools are best to use.
AWS Appliation Migration Service	Supports app migration from any Cloud Provider and/or On-Prem.	Migrate Full Stack apps to AWS but doesn't provide TCO, Discovery, Recommendations.
AWS Discovery Service	Application Discovery Agent (Instances), Application Discovery Service Agentless Collector (Virtual Machines)	Tools that are installed on on-premise Resources to discover, identify, track, plan for migration to AWS.
AWS Migration Evaluator	Estimates TCO for migrating from any Cloud Provider and/or On-Prem.	Generates estimated Total Cost of Ownership (TCO) for migrations to AWS.
AWS Migration Hub	Gives recommendations for migrating to AWS, integrates with other migration tools	Gives Migration to AWS Advice (but not TCO).

Task 4.3: Determine a new architecture for existing workloads

Full Stack Container Deployment Services

All Container Deployment Services

AWS Service	Description	Use and Limits
AWS App Runner	Serverless, AWS Managed, Compute solution.	Out-of-the-Box solution for quickly deploying Full Stack apps w/out all the (architectural, configuration) options of AWS ECS.
Amazon Lightsail	User Managed, Compute and Networking solution.	More Integrations (CDN), VPC Configurations.

Job and Batch Job Schedulers

AWS Service	Description	Use and Limits
AWS Batch	Parallelized, Containerized, AWS IAM Integration.	Predictable Containerized workloads.
Traditional Cron Job	User Managed, Programmatic.	Typically Single-Worker, App-Based Security or Permissions.

Resizing Amazon FSx

Amazon FSx (for Windows) doesn't have an inbuilt Dynamically Allocate setting.
- Changes to the file size allocations must be done through AWS Lambda.
- https://docs.aws.amazon.com/fsx/latest/WindowsGuide/automate-storage-capacity-increase.html
Volume Autosizing also exists but must be specified manually through the Command Line.
- https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/enable-volume-autosizing.html

Task 4.4: Determine opportunities for modernization and enhancements

Serverless Functions

The prior: AWS SAA-C03 Serverless notes have been updated.

AWS Service	Feature	Description	Use Scenario	Limits
AWS Lambda	Functions	Serverless, Managed, Function execution.	Best for short, stateless, operations.	`10K` max concurrent Requests per Region, typically associated with AWS REST API Gateway.
AWS Lambda	Step Functions	Define a State Machine to define Workflows (sequences of specified Task). Allows sequential execution of AWS Lambda Functions.	Better for lengthier, sequential, operations. Integrates with AWS Lambda, and other Services.	Service Quotas provide up to `1M` Open Executions and `10K` parallel Map Runs simultaneously.
AWS CloudFront	Functions	Functions deployed on CloudFront (in front of an AWS REST API Gateway).	Primiarly used to validate HTTP Headers, attributes/metadata, and Authorization Tokens in JavaScript.	`1M` Requests simultaneously.
AWS CloudFront	Lambda@Edge	Functions deployed on CloudFront (in front of an AWS REST API Gateway).	Used for more subtantial operations at the periphery (Request Body, ) in Node, Python (but less flexible than AWS Lambda for all operations).	`10K` max Requests per Region.

Note that AWS S3 Object Lambda is likely being deprecated as of November 7, 2025. (They aren't accepting new customers.)

Resources and Links

AWS SAP-C02: Misc.

General Rules of Thumb

Virtual Private Gateway → enhanced security.
AWS Direct Connect → configured Virtual Interface (w/ or w/out Virtual Private Gateway).
On-Premises VPN → AWS Customer Gateway.
AWS Transit Gateways → Many-to-One VPN, VPC, or Network mappings.
- Hub-and-Spoke → AWS Transit Gateways (many VPC's and Direct Connections to be managed together).
Gatewary, VPN, VPC Failover → AWS Direct Connection and a VPN.
For AWS RAM Resource sharing scenarios:
- The default set up involves Private VPC's in each AWS Account being Peered the main shared services VPC.
CNAME entries can't be associated with AWS Route 53 roots so:
- ELB's → ALIAS (A record).
Calculating Migration TCO → AWS Migration Evaluator
Heterogeneous DB migrations → SCT
VMware → OVF
Budget and Cost Estimations → Management Account
High Availability → Cross Region (Highest Availability)
Auto-Scaling Group → Step (can keep scaling), Simple (must pause further scaling while scaling up)
Global Accelerator with NLB → Lowest Latency (faster than Route 53 geourouting, geolocating)
Caching Multi-AZ Failover → Redis (Yes), Memcached (No)
Organization Backup Policy → AWS Backup (not AWS DLM)
Maximum S3 Lock → compliance, Object Lock must be configured at creation (not aftewards)
AWS EFS → within same Region
AWS SQS FIFO Queues → must be created with that configuration (cannot be changed afterwards)

ChatGPT Generated Rules of Thumb

ChatGPT added the following.

🌐 Networking / Connectivity

Virtual Private Gateway → enhanced security.
AWS Direct Connect → configured Virtual Interface (with or without Virtual Private Gateway).
On-Premises VPN → AWS Customer Gateway.
AWS Transit Gateway → many-to-one VPN, VPC, or network mappings.
Hub-and-Spoke → AWS Transit Gateway (centralized management of many VPCs and Direct Connects).
Gateway, VPN, VPC failover → AWS Direct Connect + VPN backup.
Internet Gateway → public subnet only (one per VPC).
NAT Gateway → private subnet outbound internet only (IPv4); no inbound traffic.
NAT Instance → legacy/low-cost alternative requiring manual management.
VPC Endpoints (Gateway) → S3 and DynamoDB only.
VPC Interface Endpoints (PrivateLink) → private access to most AWS services.
Security Group → stateful (return traffic automatically allowed).
Network ACL → stateless (explicit inbound and outbound rules required).

🔀 Routing / Hybrid Architecture

AWS RAM resource sharing → private VPCs in each account often peer to shared services VPC.
Route 53 latency-based routing → directs users to closest region by latency.
Route 53 failover routing → active-passive disaster recovery.
Route 53 weighted routing → A/B testing and traffic splitting.
AWS Transit Gateway → preferred over VPC peering at scale.
VPC Peering → no transitive routing and no overlapping CIDRs allowed.

💾 Storage

CNAME records → cannot be used for root domains in Route 53; use ALIAS (A record).
Amazon S3 Standard → general-purpose, multi-AZ durability.
S3 Intelligent-Tiering → unknown or changing access patterns.
S3 Glacier Instant Retrieval → archive with millisecond access.
S3 Glacier Flexible Retrieval → minutes to hours retrieval.
S3 Glacier Deep Archive → lowest-cost long-term storage.
S3 Cross-Region Replication → requires versioning enabled.
EBS volumes → AZ-scoped (not region replicated).
EBS snapshots → stored incrementally in S3.
Amazon EFS → regional, shared file system across AZs.
AWS FSx → specialized file systems (Windows, Lustre, NetApp, OpenZFS).
S3 Object Lock (compliance mode) → must be enabled at bucket creation (cannot be enabled later).

🗄️ Databases

Amazon DynamoDB → single-digit millisecond latency, serverless scaling.
DynamoDB Global Tables → active-active multi-region replication.
DynamoDB DAX → read-only in-memory cache layer.
Amazon Aurora → read scaling via replicas; single writer primary.
Aurora Global Database → cross-region low-latency reads.
RDS Multi-AZ → high availability only (not read scaling).
RDS Read Replicas → read scaling and possible cross-region replication.

⚙️ Compute

Amazon EC2 → latest generation instances provide best performance.
EC2 Placement Groups (Cluster) → lowest latency between instances.
EC2 Auto Scaling Step Scaling → continues scaling based on thresholds.
EC2 Auto Scaling Simple Scaling → pauses scaling while actions complete.
AWS Lambda → event-driven compute, max 15-minute runtime.
Lambda cold start → reduced with Provisioned Concurrency.
EC2 Spot Instances → heavily discounted but interruptible.
EC2 On-Demand → baseline stable workloads.
EC2 Reserved Instances → long-term predictable workloads.
Savings Plans → more flexible alternative to Reserved Instances.

📦 Messaging / Integration

Amazon SQS Standard → at-least-once delivery, possible duplicates.
Amazon SQS FIFO → ordered, exactly-once processing model.
SQS FIFO queue → must be configured at creation (cannot be changed later).
Amazon SNS → pub/sub fan-out messaging.
SNS + SQS → decoupled fan-out architecture pattern.
Amazon EventBridge → event-driven integration bus.
AWS Step Functions → workflow orchestration.

🔐 Security / Identity

IAM Roles → preferred for temporary access credentials.
AWS STS → issues temporary security credentials.
AWS KMS → regional encryption key management.
AWS CloudHSM → dedicated hardware security module.
AWS Secrets Manager → supports automatic secret rotation.
SSM Parameter Store → lower-cost alternative (no native rotation).

📊 Monitoring / Governance

Amazon CloudWatch → metrics, logs, and alarms.
AWS CloudTrail → API activity auditing.
AWS Config → resource configuration tracking and compliance.
Amazon GuardDuty → threat detection and anomaly detection.
AWS Security Hub → centralized security findings.

🏢 Multi-Account / Enterprise

AWS Organizations → centralized multi-account governance.
Service Control Policies (SCPs) → permission guardrails (do NOT grant permissions).
AWS RAM → resource sharing across accounts without VPC peering.
Management account → used for billing and org administration only.
Member accounts → where workloads should run.

⚡ High-Level Architecture Rules

Global Accelerator + NLB → lowest latency global routing.
Route 53 latency routing → not always geographically closest, but network-optimal.
Redis (ElastiCache) → supports Multi-AZ failover.
Memcached → no Multi-AZ failover support.
AWS Backup → centralized backup policy management (preferred over AWS DLM).
AWS Migration Evaluator → migration TCO estimation.
AWS SCT (Schema Conversion Tool) → heterogeneous database migration.
VMware OVF → VMware migration format reference.
Cross-Region architecture → highest availability / disaster recovery model.
Multi-AZ architecture → high availability within a single region.