Code Buckets

Buckets of code

Teaching and Learning Cloud

AWS Developer Associate Certification Cheat Sheet

AWS exam study (probably)
Developers studying for the AWS Developer exam (Photo by Museums Victoria on Unsplash)

I’ve just taken and passed the AWS Certified Developer Associate Exam. While I’m basking in the after certification glow I thought I would tidy up and publish my exam notes as a cheat sheet. It’s a pretty long set of notes as there’s a lot to learn. Good luck.

Acronymns

Common acronymns used throughout the notes

  • AZ – availablity zone
  • CI/CD – continuous integration / continuous deployment
  • CORS – cross-origin resource scripting
  • CLI – command line interface
  • ETL – extract, transform, load
  • IOPS – input/output operations per second
  • MFA – multi-factor authentication
  • REST – Represention State Transfer – a common API standard
  • TTL – time to live
  • SSE – server side encryption
  • ML – machine learning

Most services also have acronyms (S3, ECS etc..). You should be able to recgonise the service from its acronymn as often the full name isn’t used in the exam.

Tips

It’s a tough exam so some general tips before we start the detail of the various services

1 . Good a study material is key. I recommend Udemy, closely followed by CloudGuru.

2. Know the differences between these sets of services. They often come up

  • EBS vs EFS
  • Parameter Store vs Secret Manager
  • Kinesis Data Streams vs Kinesis Firehose
  • SQS vs SNS vs Kinesis Data Stream
  • ASG vs ELB
  • CloudFormation vs SAM
  • CodeDeploy vs CodePipeline
  • Cognito User Pool vs Cognito Identity Pool
  • AWS API Gateway HTTP API vs AWS API Gateway REST API

3. Know the limits of each service e.g. max item size etc… There is a section called limits for many of the services below to help out.

4. In addition to the study material also use the FAQ section for a service e.g. S3 FAQs. Each services has one and they are a good summary. There are also whitepapers that are recommended for you to read – I didn’t read any and I still passed but perhaps I should have done anyway.

5. Knowing the facts isn’t enough. The questions are scenario based so applying the facts is key. Hands on practice with AWS is best if you aren’t using it in your day to day role.

Keywords

Picking out keywords is useful to give you a clue for instance these keywords point to specific services

  • visualisation (think X-Ray)
  • audit (CloudTrail)
  • compliance (AWS Config)
  • metrics (CloudWatch)
  • Timeout Errors (Security Groups)
  • Continuous Delivery (CodePipeline)
  • Timeout Errors (Security Groups)
  • Containers (ECS/ECR)
  • Real-Time (Kinesis)

and these general concepts will change the correct answer

  • serverless
  • fully managed
  • without changing code
  • minimising costs
  • minimal effort

Caveats

Everything that follows are my notes from the AWS exam. I’ve tidyied them up a bit but they are still very much in note form. Use them as a basis for your own notes or to cross check for gaps.

General

General resources and required knowledge and cross cutting subjects for the AWS Developer Associate Exam

ARN format

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

Partitions are the highest level of division.

Supported partitions

  • aws – Amazon Regions
  • aws-cn – China Regions
  • aws-us-gov – Amazon GovCloud (US) Regions

HTTP Response Codes

It’s useful to know the classes of the HTTP reponse codes and the more common specific examples

  • 2xx – success
  • 3xx – redirection
  • 4xx – client error
  • 5xx – server error

and specific codes to know

  • 200 – success
  • 201 – created
  • 204 – no content
  • 301 – moved permanently
  • 302 – moved temporarily
  • 400 – bad request
  • 403 – forbidden
  • 404 – not found
  • 408 – request timeout
  • 429 – rate exceeded
  • 500 – server error
  • 502 – bad gateway
  • 504 – gateway timeout

Ports

For the exam it is useful to know some ports and port ranges

  • 22 – SSH
  • 80 – HTTP
  • 443 – HTTPS
  • 1024-65535 – ephemeral ports. Use for requests from ELB, NAT gateways and Lambda functions

Less likely to come up but possible are the ranges below. Most likely for the AWS Developer exam is just to know that the below operate somewhere in the ephemeral port range.

  • 32768 – 61000 – Amazon Linux kernel
  • 1025 – 5000 – Windows OS up to Windows Server 2003
  • 49152 – 65535 – Windows OS from Windows Server 2008 onwards

Docker

Useful to know basic docker and docker-compose commands e.g.

  • docker build
  • docker tag
  • docker push
  • docker run
  • docker-compose create
  • docker-compose up
  • docker-compose down

Categories

Remember which services have the below general characteristic.

Global Services

  • IAM
  • AWS Organisations
  • CloudFront
  • Route53
  • AWS Web Application Firewall

Multi-region services

  • DynamoDB – Global Tables
  • S3 – cross region replication
  • Aurora – Global Database
  • VPC – can peer across regions

Encryption by default

  • DynamoDB
  • CodeCommit
  • CloudTrail
  • CloudWatch
  • X-Ray

Free Tier

Have a basic awareness of what the free tier offers.

A newly created account as free services within the first 12 months such as

  • t2.micro (or t3.micro in certain regions) instances within certain usage limits

from console

Infrastructure as a Service

Photo by Chris Briggs on Unsplash

Services that can be though of as traditional infrastructure that you may find in your own data centres e.g. virtual machines, load balancers, network drives. The nuts and bolts.


Auto Scaling Group (ASG)

Spans multiple AZs across 1 region. Does not span across regions

Will balance EC2 instances across healthy AZs

Health check types

  • EC2 and scheduled events (default)
  • ELB – works with Application Load Balancers and Network Load Balancers
  • Custom

Monitoring options

  • Basic – once every 5 minutes. Default when using AWS console to create
  • Detailed – once every minute. Default when using SDK or CLI to create

Scaling Policies

https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scale-based-on-demand.html

  • Target tracking scaling – tracks a metric and keeps it at that target value i.e. 50% CPU utilisation
  • Step scaling – increases and decreases capacity based on scaling (step) adjustments – scales in proportion to the Cloud Watch alarm beach
  • Simple scaling – increases/decreases capacity based on a metric with a cooldown period between each metric
  • Scheduled Actions – scaled based on a known usage pattern e.g. 5 pm Friday
  • Predictive scaling – continuously forcast based on usage patterns – Machine Learning powered

Metrics to scale on – examples

  • CPUUtilizations
  • RequestCountPerTarget
  • Average Network I/O

CloudFront

Caches web content near to location of user to improve latency

Can have mulitple origins so can source different data from different locations

Used to serve

  • Static content e.g. from S3 servers
  • Dynamic content e.g. from webservers such as EC2 instances and ECS containers

Origin Groups

Origin groups configure a primary and secondary source. Secondary source used in the event of a failure in the primary therefore providing higher availabilty of the service.

CloudFront only fails over on GET, HEAD or OPTION requests.

Need 2 or more origins for failover. Only one origin is marked as primary.

Security

Keypairs can only be created by root account. Maximum of 2 key pairs. One of the few legimate usages of the root account in normal operations

Key pairs can now be created by key groups with no root account access. New feature as of time of writing.

Signed Url – secure, time limited access to a resource. Associated signed URL with a policy statement. Precedence over signed cookies

Signed Cookies – used for multiple file access


Elastic Block Storage (EBS)

Network drives

File storage – to attach to a EC2 instances. Can be detatched and reattached to another EC2 instance

Locked to AZ

Volume Types

See here for further details

  • General Purpose SSD
    • gp2
    • gp3
  • Provisioned IOPS SSD
    • io1
    • io2
  • HDD – cannot be used as boot volumes for EC2
    • st1
    • sc1 -lowest cost volume

General Purpose SSD

1GB to 16 TB

gp2 – Performance is 3 IOPS per GB., Scales linearly,

gp3 – Performance scales independently of volume size. Baseline 3000 IOPS

Max IOPS for both is 16000

See here for details

Provisioned IOPS SSD volumes

4GB to 16TB.

Max IOPS

  • Nitro 64,000
  • Other 32,000

Used for I/O intensive workloads – e.g. database workload

Used for I/O intensive workloads

IOPS capacity – max IOPS capacity is 50:1 ratio for storage size to IOPS (IOPS:GB ratio 50:1) e.g. for a 200GB SSD the the max IOPS is 200 * 50 = 10000 IOPS

io2 Block express – 4GB – 64TB, max iops 256,000, IOPS:GB ratio 1000:1

Monitoring

Create volume event – not available when volume created during EC2 launch

Volume status checks – track and manage potential data inconsistencies

Encryption

Encryption by default – regional setting. All new EBS volumes are encrypted. Cannot be disabled on a per volume basis

Cannot directly encrypt and unencrypted volume. To encrypted an existing volume

  • create a snapshot
  • while copying snapshot enable encryption
  • create encrypted volume from encrypted snapshot

Multi-Attach

Only available for io1/io2. Within same AZ. Up to 16 EC2 instance at a time

Other volumes can only be attached to one EC2 instance

Settings

DeleteOnTermination controls if the associated EBS volume will be deleted on instance shutdown. Can be set on console or CLI (and API?) – if using cli then can configure on a running instance. By default set to true for root volume and false for other associated volumes.

DisableApiTermination controls if instance can be terminated by using console, CLI or API


Elastic Cloud Computing (EC2)

Virtual machines. The classic AWS offering.

Cost model

  • Spot Instance
  • Reserve Instance
    • Standard Reserved Instance
    • Convertible Reserved Instance
    • Scheduled Reserved Instance
  • On demand instance

Reserved instances can reserve for cost savings and optionally capacity

  • Zonal reserved instance – reserved for cost and capacity
  • Regional reserved instance – reserved for cost only

when reserving cost can be appliied across instances – e.g. buying 1 hour can run 2 instances of the correct class for 30 minutes each.

Tenancy

  • Dedicated instances – Isolation at hardware level. May share with other instances from same AWS account
  • Dedicated hosts – Isolation at hardware level. Control over how instances are placed on server. Used in need to put licence on server. Can deploy to same physical server over time

Metadata

Instance described by http://169.254.169.254/latest/meta-data

User data on launch described by http://169.254.169.254/latest/user-data

Spot Instances

Interrupt behaviour can be

  • Stop
  • Hibernate
  • Terminate – default behaviour

Burstable Instances

Used for variable loads. T family (T4g, T3a, T3). Pricing works on earning credits for time spent below baseline (Burstable Credits). Can be reset by immutable deployment or deployment with traffic splitting.

Monitoring

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

  • Basic monitoring – sends data to CloudWatch every 5 minutes
  • Detailed monitoring – sends data to CloudWatch every 1 minute
  • High resolution custom CloudWatch alarm with script in EC2 to push data – push data up to maximum of 1 second with an CloudWatch Alarm that evaluates a maximum of once every 10 seconds

Metrics captured by default

  • CPU: CPU Utilization, CPU credit usage (count), CPU credit balance (count)
  • Disk: Disk reads (bytes), Disk read operations (operations), Disk writes (bytes), Disk write operations (operations)
  • Network: Network in (bytes), Network out (bytes), Network packets in (count), Network packets out (count)
  • Status check failed (count): any, instance, system

Note – system level RAM usage is not available by default so must be pushed to CloudWatch by a script


Elastic Container Service (ECS)

Container orchestration. AWS equilavent of Kubernetes although elastic kubernetes is also offered.

Service scheduler – can run batch or single tasks.

Step scaling policy – AWS recommends target tracking alarms not step scaling

If multiple containers share a task then they share underlying resources e.g. data volumes

ECS Container Agent

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_agent.html

ECS container agent allows EC2 instances to be used as hosts. Also be used by external instances (VMs, on-premise)

Config

  • in /etc/ecs/ecs.config for Linux
  • Powershell SetEnvironmentVariable for windows

Can pass config via user data into EC2 host

Environmental variables – all optional (examples)

  • ECS_ENABLE_TASK_IAM_ROLE – IAM roles for tasks with bridge and default network modes
  • ECS_ENGINEAUTH_DATA
  • ECS_AVAILABLE_LOGGING_DRIVER
  • ECS_CLUSTER_NAME – ecs cluster that container should join

ECS structure

  • cluster
  • container service
    • VPC configuration and security groups
    • Autoscaling
  • container task
    • task execution role – i.e. permissions
    • memory and cpu
    • environmental variables
    • port mappings

Fargate Host

Fully managed. Cannot access underlying server.

Considered serverless

Doesn’t support Docker volumes

API

aws ecs create-service --service-name xxx --task-definition xxx --desired-count 10


Elastic Container Repository (ECR)

Amazon hosted repository for containers – like publishing to Docker but in AWS


Elastic File Service (EFS)

File storage

Support for Fargate or EC2

Bind to muliple containers or EC2 instances so used for sharing files

Can only mount on Linux EC2. Windows is not supported.

Mounted on 100s of EC2 instances across AZs

Storage classes

Ordered by decreasing cost

  • Standard – High durability, High availability, Frequent access
  • Standard-IA – High durability, High availability, Infrequent access
  • One Zone – High durability, Lower availability, Frequent access
  • One Zone – IA – – High durability, Lower availability, Infrequent access

ElastiCache

Caching layer for your applications

Memcache or Redis

Useful for improving latency and throughput

  • read heavy applications
  • improving latency and

Need to change code to use this

Caching strategies

  • Write through
  • Lazy loading

Data partitioning

Memcache and Redis support data partitioning – i.e. distribution of data among multiple nodes. Protects against data loss. Increases read capacity but not write capacity.

All nodes must be in same region. Data is copied from primary node to replicas asynchronously.

Operates independently of cluster mode. If there is a failure with cluster mode is enabled then data loss is partial. If there is a failure with cluster mode disabled then data loss is total.

Memcache vs Redis

https://aws.amazon.com/elasticache/redis-vs-memcached/

Memcache is simpler option

Redis offers advance datastructure storage, snapshots, replication, geospatial capabilities and pub/sub. Memcache doesn’t. Generally Redis is the correct option.

Redis Cluster mode

  • horizontal scaling to 100TB. Scale in and out number of shards. Up to 90 shards
  • vertical scaling. Changing the node type
  • Good for workloads that are unknown in advance
  • Includes replication so better protection of data in cache – helps when rengerating the cache is costly

Limitations

  • Cannot manual promote read replicas to primary
  • Multi-AZ is required
  • Need to restore from backup to change structure of cluster (type, number of nodes etc..)

Elastic Load Balancer (ELB)

Load balancing traffic to applications

Targets across multiple Availability Zones in same Region

Cross zone load balancing will distribute traffic evenly against all instances. Enabled on ALB by default

Types of load balancers

  • Application Load Balancer
  • Network Load Balancer
  • Classic Load Balancer
  • Gateway Load Balancer

Details of are given below.


Application Load Balancer (ALB)

Works on OSI Layer 7 – Application Layer

Target types

  • Instance ID – routed by primary private IP
  • IP – routed by any private IP. Cannot specify public IPs
  • Lambda

Modified incoming requests. Client details are in these headers

  • X-Forwarded-For contains client IP
  • X-Forwarded-Proto contains client protocol
  • X-Forwarded-Port contains client port

Supports round robin or sticky session routing algorithms

Sticky Sessions require client to have cookies enabled – uses a cookie called AWSALB

Pass through mode vs terminate. Terminate to reduce load on underlying instances.

Logging

ALB request tracing. Adds header X-Amzn-Trace-Id. When load balancer receives then appends information to the header.

ALB access logs- can be used to analyse latency. Optional – not enabled by default. Stored in S3 buckets. Contains information on

  • time recieved
  • client IP address
  • latencies
  • request paths
  • server responses

Request based routing

Can route requests to target based on

http headers e.g. user agent string

[
  {
      "Field": "http-header",
      "HttpHeaderConfig": {
          "HttpHeaderName": "User-Agent",
          "Values": ["*Chrome*", "*Safari*"]
      }
  }
]

host header e.g. hostname

[
  {
      "Field": "host-header",
      "HostHeaderConfig": {
          "Values": ["*.example.com"]
      }
  }
]

request method (GET, POST etc..)

[
  {
      "Field": "http-request-method",
      "HttpRequestMethodConfig": {
          "Values": ["GET"]
      }
  }
]

path i.e. url pattern matching

[
  {
      "Field": "path-pattern",
      "PathPatternConfig": {
          "Values": ["/img/*"]
      }
  }
]

query string

[
  {
      "Field": "query-string",
      "QueryStringConfig": {
          "Values": [
            {
                "Key": "version", 
                "Value": "v1"
            },
            {
                "Value": "*example*"
            }
          ]
      }
  }
]

source ip

[
  {
      "Field": "source-ip",
      "SourceIpConfig": {
          "Values": ["192.0.2.0/24", "198.51.100.10/32"]
      }
  }
]

Troubleshooting

  • HTTP 403 – Forbidden, Request blocked by WAF (firewall)
  • HTTP 500 Internal server error – ACL in firewall, VPC internet access not working. Request submitted with no protocol
  • HTTP 502 Bad Gateway – Lambda throttled or timedout. Target response malfiormed
  • HTTP 503 Service unavailable – target groups have no registered targets
  • HTTP 504 Gateway timeout – Connection timed out to target, network ACL config

Network Load Balancer (NLB)

Works on OSI Layer 4 – Transport Layer. Very fast and high capacity

Does not modify incoming requests

Target Types

  • Instance ID
  • IP – cannot specify public IPS
  • ALB

ALB vs NLB

https://blog.cloudcraft.co/alb-vs-nlb-which-aws-load-balancer-fits-your-needs/


Classic Load Balancer

Depreciated but still referenced on AWS Developer Associate exam as option. Unlikely to be the answer

Cannot dynamically associate ports


Serverless

Photo by engin akyurt on Unsplash

Services which do not require you to manage the underlying infrastructure – in fact you can’t.

Services considered serverless are

  • DynamoDB
  • S3
  • ECS (Fargate)
  • ECR
  • Lamdba
  • Step Functions
  • SQS
  • API Gateway
  • App Sync
  • S3
  • EFS
  • Aurora serverless
  • Amazon EventBridge

Some are detailed in other sections


AppSync

Managed service that uses GraphQL

  • GraphQL api
  • real-time with with websockets
  • mobile apps for local data access and data sync

Security

  • API key
  • Iam
  • OpenID
  • Cognito User Pools

For https – use CloudFront in front of app sync


API Gateway

Mapping templates allow you to change requests and responses to and from the api

Used for creating

  • HTTP APIs
  • REST APIs
  • WebSocket APIs

Supports SOAP by

  • configuring as a pass through
  • can convert XML response to JSON

Supports Account Level Throttling

Integration Types

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-integration-types.html

  • AWS – integration with AWS sevices
  • AWS_PROXY – direct integration with Lambds function. Preferred for Lambda
  • HTTP – expose http endpoints
  • HTTP_PROXY – expose http endpoints with no request or response mappings
  • MOCK – used for API testing

Security

Authentication and Authorisation by

  • Resource policies
  • AWS IAM roles and policies
  • Lambda authorisation
  • VPC endpoint policies
  • Amazon Coginto User Pools

Can restrict access by CORS

Lambda authorisers

Used when

  • implement a custom auth scheme e.g. OAuth, SAML.
  • Using request parameters to establish use identity

Can be

  • Token based
  • Request based

Can interface with a 3rd party provider (contrast to Cognito User Pools)

HTTP vs REST APIs

HTTPREST
SecurityMutual TLS authenticationYY
Certificates for backend authenticationY
AWS Web Application FirewallY
Resource PoliciesY
AuthorisersLambdaYY
IAMYY
Amazon CognitoYY
Open ID Connect /OAuth 2.0Y

Deployments

Canary release to test a deployment with a small amount of traffic

Stabe variables are name value pairs that can be set per environment. Equivalent of environmental variables in Lambda.

Performance

Use API caching

Support API Gateway caching – TTL is 0 to 3600 seconds with a default of 30 seconds


Lambda

Serverless computing in small functions – cheap.

https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html

Test locally with Lambda Runtime Emulator

Temporary files can be stored in \tmp

Not connected to a VPC by default but can be enabled

Permissions

Execution role – gives permission for lambda to access other resources

Resource policy – gives permission for other services to execute lambda

Concurrency

Reserved concurrency – reserves a block of concurreny for exclusive use of function but also limits function to that block so effectively throttles it

Provisioned concurrency – enables scaling without latency. Does not throttle

Logging

console.log statements will log into CloudWatch and can be analysed from there. Don’t use CloudWatch events to log

Deploying

In containers

  • Must be in same account
  • Max image size 10GB
  • Container image must implement Lamdba Runtime API
  • Only Linux is supported

To cloudfront – Lambda@Edge provides access to function near to the client geographic location

Dependencies

To deploy dependencies in a Lambda

  • Include directly in zip
  • Use lamdba layers
  • Use custom runtime

Alias

Used to point to a version of a lambda. Aliases cannot point to other aliases

Weighted aliases can be used for a canary deployment

If an unqualified ARN of the lambda will always point to the latest version

Limits

Maximum execution time is 15 minutes

Maximum size of environmental variables – 4KB

Maximum size of lamdba for direct upload – 50 MB. If > 50 MB consider uploading to S3 bucket or using Lambda Layers to reduce size of dependencies

Maximum RAM available foer execution – 10,240 MB


Simple Storage Service (S3)

Serverless file storage

S3 Transfer acceleration for increased performance to and from S3

Security

S3 Security Best Practices

For ways to control access

  • IAM policies
  • Bucket policies
  • Access Control Lists (ACL)
  • Query String – this is for pre-signed url can grant time limited access to resources in otherwise private buckets

ACL vs bucket policies vs IAM policies

Contrast Cloudfront signed url with S3 presigned url

Logging

Amazon S3 Data Events – to log object level activity in CloudTrail – logged as CloudWatchEvents into S3 buckets

Encryption Types

  • SSE-S3 – Server side encryption with S3 managed keys. Uses Advance Encryption Standard (AES-256). Key regularly rotates
    Resource encryption header – "s3:x-amz-server-side-encryption":"aws:AES256"
  • SSE-KMS – Server side encryption with KMS managed keys
    Resource encryption header – "s3:x-amz-server-side-encryption":"aws:kms"
  • SSE-C – Server side encryption with Customer managed keys
    Resource encryption header – "s3:x-amz-server-side-encryption-aws-kms-key-id" : "key:arn"
  • Client side encryption

Must use HTTPS for SSE-C.

IAM role needs kms:GenerateDataKey permission if using SSE-KMS – as it’s using envelope encryption it needs permission to create its own key.

Can enable encryption by defaukt to ensure that all new objects are encrypted.

Storage classes

https://aws.amazon.com/s3/storage-classes/

  • S3 Standard
  • S3 Intelligent-Tiering
  • S3 Standard-IA
  • S3 One Zone-IA
  • Glacier Instant Retrieval
  • Glacier Flexible Retrieval — Retrieval time minutes to hours
  • Glacier Deep Archive. Retrevial time 12 hours

Replication

  • SRR – Same-Region Replication
  • CRR – Cross Region Replication

Configured at bucket, shared prefix or object level.

Buckets must have versioning enabled (source and target) for replication

Versioning

Items without a version have a version of null. If versioning applied – pre-existing items still have verison of null

Enables recovery of deleted items and restoring of old versions of items

Versioning enabled at the bucket level

Consistency

S3 buckets are strongly consistent for GET, PUT, LIST, DELETE operations and metadata and ACL operations for objects within a bucket

S3 bucket configuration are eventually consistent for information about the buckets themselves e.g. list all buckets in an account

Events

Examples

  • S3:ObjectCreate
  • S3:ObjectRemove
  • S3:ObjectRestore
  • S3:Replication

Event targets are

  • SNS
  • SQS
  • Lambda
  • Event Bridge

Events are designed to be fired at least once – therefor possible to have muliple events for same action. If bucket is versioned then will get one event only per CRUD event

CLI

s3 list-object lists all S3 objects

  • page-size – smaller number of items returned
  • max-items – maximum number of items returned
  • starting-token – used for paging results. Gets a starting point for that page

Limits

5GB limit for single PUT operation

If >100MB the recommended us multi-part upload

Maximum size for multi-part upload is 5TB

Range for S3 object sizes are 0 bytes to 5YB. Total storage in S3 is unlimited.


Step Functions

Manages tasks in a stateful workflow. Defined as JSON

Made up of

  • tasks.
  • state machines – make the decisions
  • activity worker – polls for a task

Serverless – contrast to SWF

Allows task retries

Cannot be used to run Docker containers

States

  • Task
  • Choice
  • Wait
  • Pass
  • Fail
  • Timeout
  • Succeed
  • Map – dynamically iterate through steps
  • Parallel State

State Machines

Actions can be

  • invoke Lambda
  • run AWS Batch job
  • run ECS task
  • Insert item to DynamoDB
  • Publish message to SNS, SQL
  • Launch anotther step fuction
  • Run activity – EC2, On premise, ECS. Polls for work (similar to SWF)

Error Handling

Error handing should be in state machine not in application code

  • Retry
    • ErrorEquals
    • IntervalSeconds
    • BackoffRate – for expontential backoffs
    • MaxAttempts
  • Catch
    • ErrorEquals
    • Next – direct to another state
    • ResultsPath – allows you to include error in output

Standard vs Express

Standard – duration 1 year. Exactly once execution

Express – duration 5 minutes. At least once workflow. Cheaper than standard.


Data

AWS offers many services that manage data and function as structured datastores.


Athena

Used to query data in S3 buckets

Execute SQL on large datasets spanning separate files. Contrast to S3 Select


DynamoDB

Serverless NoSQL database. Multi-region. Fully Managed

Data Type

  • Scalar
    • Number
    • String
    • binary
    • Boolean
    • null
  • Document
    • List
    • Map
  • Sets

Primary Key

Made up of

  • Partition Key
  • Sort Key. Optional.

Supported data type – number, string, binary

Provisioning

The exam will almost certainly ask you to calculate read and / or write capacity for DynamoDB.

Read Capacity Unit (RCU) equals one strong consistent 4KB or less reads per second

Read Capacity Unit (RCU) equals two eventually consistent 4KB or less reads per second

Write Capacity Unit (WCU) equals one 1KB or less writes per second

Scaling

DynamoDB Accelerator (DAX) to improve read speed with no code changes. 10x performance improvements

Global tables replicate tables across predefined regions to reduce latency

Transactions

Supports transactional read and writes for ACID transactions

TransactWriteItems – up to 25 items. The total size must be <= 4MB

TransactGetItems

To ensure that application always has the correct data then use the Consistent Read flag. GetItem Query and Scan can use strongly consistent reads

Conditional Writes – used when mulitple people are updating the record at the same time

Operations

GetItem – read

UpdateItem – edit attributes of existing item

PutItem – adds new item or replaces old item with a new one entirely

BatchGetItem – reads one or more items from one or more tables

BatchWriteItem – writes one or more items to one or more tables

Scan – reads data sequentially in 1MB increments. Inefficient but does not require indexes

Parallel Scans – as above but multi-threaded scanning separate partitions

ProjectionExpression – limited set of attrbutes to return – like the SELECT clause in SQL

FilterExpression – results to be discarded after scan has run. Does not limit RCU

Query – reads only data specified in query. Does limit RCU. Requires an index to cover queried attributes or a partiton key

TTL – define when items from database expire so that can be automatically deleted. Can set on a per record basis

Indexes

Global secondary index – can be created on existing or new table. Can contribute to throttling of the database

Local secondary index – can only be created on a new table

DynamoDB Streams

Ordered flow of information containing changes to a table. Stored for up to 24 hours. Can be cionsumed by other services such as Lambda.

Backup

  • Point in time
  • On demand

Do not have access to those S3 buckets so can’t use as exports

Permissions

See here for complete list

UpdateItem permission is enough to upsert an item

Limits

Max item size – 400KB

Max GSI – 20 per table. Raise AWS support request to raise

Max LSI – 5 per table


Relational Database Service (RDS)

Relational databases in the cloud.

Types

  • Oracle
  • MySQL
  • PostGreSQL
  • MariaDB
  • SQL Server

IAM database authentication works with MariaDB, MySQL and PostGreSQL

Auto-scaling

can be enabled so volume increases when

  • storage is >90% full for > 5 minutes
  • > 6 hours since last storage modification
  • Storage is below user defined maximum storage limit

High Availability

Read replicas – used for heavy readonly usage scenarios.

Cross Region Read Replicates also used for HA. In the event of a failure a read replica can be promoted to a full instance.

Multi-AZ – for high availability

  • Updates to primary are copied over to secondaries synchronously
  • OS updates are performed on secondary which promotes to primary so no downtime
  • Backups are taken from standby so no I/O suspension
  • Secondaries do not serve read requests so can’t function for performance. HA only

Backups

Manual backups supported across mulitple regions

Automated backups supported on one region only

Deletion protection can be enabled – can’t be deleted by any user or tear down of environments such as with Elastic Beanstalk

Limits

Backup retention period 0 to 35 days


Relational Database Service – Aurora

Highly available cloud optimised RDS.

MySQL and Postgres compatible

High Availability

  • Stores 6 copies of data over 3 AZ.
  • 3 copies requiered for reads
  • 4 copies requied for write
  • self healing and striped over 100s of volumes
  • One instance is master. Failover in 30 seconds (fast)
  • 15 read replicas (mysql has 5)
  • cross region replication for read replicas
  • Load balancing through read endpoint (contrast to write endpoint)

Storage

Automatically grows up to 128 TB in 10GB increments

Aurora Specfic Functionality

  • Database cloning
  • Point in time restoration

S3 Select

Use SQL for simple queries on one S3 file. Contrast to Athena


Networking

Photo by Rob Curran on Unsplash

The developer exam doesn’t often ask questions about networking but understanding networking is often the key to getting the answer right for questions on the other services.

Route 53

DNS Service

Record Types

A Record
Points IPv4 to domain name

CNAME record
Points one domain to another
Cannot create alias for apex domain e.g. can’t use example.com with CNAME but could use subdomains such as www.example.com or subdomain.example.com

Alias Record
Points domain to AWS resource such as S3, CloudFront or another record in that Route 53 hosted zone
Can be an apex zone
Specific to AWS

PTR
Reverse DNS record. Opposite of A record

Routing policies

  • Simple routing
  • Failover routing
  • Geolocation routing
  • Geoproximity routing
  • Latency routing
  • Mulitvalue answer routing – up to eight healthy records selected at random

Virtual Private Cloud (VPC)

AWS Networking – the glue that holds it all together

Route table

set of rules that determine where traffic from subnet/gateway is directed

Internet access

Internet Gateway – internet access for VPC. If a VPC has an Internet Gateway then it becomes public

NAT Instance – internet access to private subnet. The private subnet can contact the Internet but the Internet cannot see the VPC hence it remains private. Contrast to Internet Gateway. NAT Instance is not the name of an AWS Service, rather it is a general networking concept.

NAT Gateway – Service offered by AWS with better performance and easier management as compared to NAT Instance. Preferred if given a choice

Endpoints

Allow communication between instances and VPC – can privately connect VPM to AWS services. No public IP required.

Types

  • interface endpoints. Elastic network interface with private IP address
  • gateway endpoints. Specify target in route table to traffic destined to service. DynamoDB and S3 have gateway endpoints. S3 also has interface endpoints

Elastic IP – gives an endpoint a fixed public IP address.

NACL vs Security Groups

NACLs and Security Groups both limit traffic based on source IP and port and function as virtual firewalls

Detail

Security GroupsNACLS
Associated with EC2, ELBAssociated with subnets(?)
Stateful – allowing inbound traffic allows outboundStateless – must explicitly allow inbound and outbound traffiic

Messaging

Photo by the blowup on Unsplash

Messaging systems to decouple and scale yopur applications. Know the differences between them.

Kinesis Data Analytics

Analyses streaming data in real time.

Serverless

Automatically scales


Kinesis Data Streams (KDS)

ingest data in real time

Supports ordering and replay

Multiple consumers

Encryption

Data encypted at rest by KMS customer master key

Data encypted in flight by HTTPS endpoints

Shards

Capacity is defined by number of shards in the data stream – these do not automatically scale

Can have one processing unit (e.g. EC2) per shard

Performance

Enhanced fan out – each consumer gets their own 2MB/sec pipe per shard – contrast to standard where 2MB/sec per shard is shared between all applications.

If capacity exceeded then get ProvisionedThroughputExceeded exception

Supporting software

Kinesis Client Library (KCL) can deliver all records of a partition key to a given client making it easy to support multiple consumers

Kinesis Producer Library (KPL) to write to data stream from application code

Kinesis Agent can be installed on EC2 to capture data to KInesis Data Stream

Limits

Retention period is 7 days

2MB/sec per shard is shared between all of the applications


Kinesis Firehose

Egest data – loads into data stores targets. Contrast to KDS

Automatically scales

Fully managed

More cost effective than KDS

Supported targets

  • S3
  • Amazon Redshift
  • Amazon Elasticsearch
  • Generic HTTP endpoints
  • Specific 3rd party e.g. Splunk, Datadog, MongoDB, New Relic

Functions

  • Load
  • Batch
  • Compress
  • Transform
  • Encrypt

Simple Queue Service (SQS)

Supports only 1 consumer – contrast to Kinesis Data Streams

Used with asynchronous clients e.g. Lambda

Queue Types

  • Standard message queues – order not guaranteed and possible for message to be read more than once
  • FIFO message queues – guaranteed order with each message being read once.

Cannot convert standard queue into a FIFO queue

Performance

In almost all cases use long polling. Decreases number of empty reponses and ensure a message is pulled off as soon as it arrives. Use maximum of 20 seconds for timeout.

SQS Extended Client Library for Java

Used to manage large messages – see Limits

  • specify whether messages are always stored in S3 or just when > 256 KB
  • sends a message that references content in S3 bucket
  • get message from S3 bucket
  • delete message from S3 bucket

Limits

Minimum message size is 1 byte
Maximum message size is 256KB

If a message is > 256 KB then use SQS Extended Client Library for Java. This supports messages up to 2GB. If > 2GB then store messages in S3 and reference from a pointer in the SQS message.

No limit on the number of messages stored

Maximum of 10 messages can be recieved at one time by a consuming application

Message rention

  • default 4 days
  • minimum 60 seconds
  • maximum 14 days

Standard – Approx 120,000 limit of number of inflight messages

FIFO – 20,000 inflight messages

Autoscales on demand within the above limits

Configuration

WaitTimeSeconds to set short polling vs long polling. Minimum 0 seconds, maximum 20 seconds

MessageRetentionPeriod

DelaySeconds – min 0 seconds, max 15 minutes

ChangeMessageVisibility helps prevent mulitple consumers processing the message

  • Default value – 30 seconds
  • Minimum value – 0 seconds
  • Maximum value – 12 hours

FIFO configuration

MessageGroupId – the messages are ordered within this grouping. Ordering is not guaranteed between groups.

MessageDeduplicationId – messages with the same deduplication id aren’t redelivered within a 5 minues interval. Guarantees exactly once processing.

ContentBasedDeduplication – use SHA-256 hash to base deduplication on body of message rather than the MessageDeduplicationId

API

  • PurgeQueue
  • DeleteQueue
  • RemovePermissions

Security

For encrypted queues enable SQS KMS encryption


Simple Notification Service (SNS)

Pub / sub messaging system supporting multiple subscribers

Integrates with ..

Can send messages in types of

  • Notifications to other AWS services
  • Emails
  • SMS messages
  • Mobile push notifications

Simple Workflow Service (SWF)

Manages tasks in a stateful workflow. Users decider programs

Task assigned only once – contrast to SQS where can deliver message multiple times

Need to manage infrastructure – contrast to step functions


Logging and Monitoring

Logging comes up over and over again in the AWS developer exam. Know this in detail, especially CloudWatch.

Amazon Event Bridge

Event-driven applications

Only event based system that integrates directly with third party SaaS systems

Supported sources

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html

  • Athena
  • CloudFormation
  • CloudTrail
  • CodeBuild
  • CodeCommit
  • CodeDeploy
  • Elastic Beanstalk
  • EBS
  • EC2
  • ECR
  • ECS
  • KMS
  • RDS
  • S3
  • Step Functions
  • Plus others not on AWS Developer Associate Exam

Scheduled Tasks

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html

Can create a rule that runs on schedule i.e. running a Lamdba function every hour

Types

  • cron expressions. Cron expressions of a rate faster than 1 minute are not supported
  • rate expression to run on a defined schedule e.g. every 5 hours

Examples

  • Event from EC2, target SNS. Email when things happen on EC2 instance
  • Event from CodeBuild, target SNS. Notifications when build completes
  • Event from CodeDeploy, target lambda. Run custom code at particular stages of a deployment

AWS Config

resource history, audit and compliance


CloudTrail

Account specific activity and audit e.g.

  • actions through management console
  • actions through SDK
  • actions through CLI
  • API calls E.G. to KMS, SSM, Lambda, API Gateway – see here for a full list
  • Failed logins

By default only logs S3 bucket level events not object level

Encrypted by default – SSE

Trails

Can create trails for

  • All regions
  • One region
  • Organisation trail for all regions
  • Organisation trail for one region

Integrations

  • CloudWatch logs – can direct to another service or stream into an S3 buckets
  • CloudWatch events – can take actions depending on cloudtrail events

Limits

Stores 90 days of activity within AWS account


CloudWatch

Performance monitoring, events and alerts

Integrates with S3

Can view events from mulitple applications on a single dashboard – across region if required.

CloudWatch Agent

  • Collects logs and / or metrics from EC2 instances
  • Collects logs and / or metrics from on premises services and forwards to CloudWatch
  • Works with Linux or windows

Custom monitoring

Use PutMetricData to push data from EC2 into CloudWatch. Can be standard resolution or high resolution (push every second)

GetMetricStatistics – for high resolution metrics can be 1,5,10,30 or 60 second intervals. For standard resolution can be any multiple of 60 seconds.

Metric retention

The data points storage is dependent on metric resolution

ResolutionData FrequencyRetention Period
High< 60 seconds3 hours
Standard60 seconds15 days
Standard5 minutes63 days
Standard1 hour15 months

CloudWatch Alarms

Performs an action when data is over a threshold e.g.

  • SNS topic push
  • ASG policy

Possible states for alarm

  • OK
  • ALARM
  • INSUFFICIENT_DATA

PutMetricAlarm – creates a cloud watch alarm

Cloud Watch Events

Superceded by Event Bridge

Security

Cloud watch logs are always encrypted

Use API call associate-kms-key to encrypt CloudWatch logs with a KMS key as an alternative encryption method

Use API call describe-log-groups to see if a log group is already associated with a KMS key


X-Ray

Logging and visualisation. Useful for microservice architecture

Sends data as segments

Each participating instance (EC2 or ECS) needs access to X-Ray Agent. EC2 can have agent installed but ECS needs an additional sidecar container to host the agent.

Encrypted at rest by default. Can specify a KMS customer managed key.

Integrations

X-Ray can integrate with

  • Lambda
  • API Gateway
  • Elastic Load Balancer
  • Elastic Beanstalk
  • SNS
  • SQS
  • S3

Configuration

  • Sampling – by default it samples first request each second then 5% of total requests. Decrease sampling rate to minimise costs if required
  • Annotations – key-value pairs used to filter and group traces in console. Are indexed
  • Metadata – key-value pairs. Additional information that are not required for search

Environmental variables

  • AWS_XRAY_DAEMON_ADDRESS – host and port of X-Ray (Daemon – agent?) if not default (127.0.0.1:2000)
  • AWS_XRAY_TRACING_NAME – service that SDK uses for segments

Deployment

Photo by Troy Mortier on Unsplash

Deployment of applications and provisioning of AWS infrastructure.

AWS Amplify

Create mobile and web apps. Like elastic beanstalk but for web and mobile apps

amplify add auth – Authentication using Cognito

amplify add api – uses GraphQL and DynamoDB

ampify add hosting = CICD, domains etc…. Like vercel


CodeArtifact

Code artifact management – integrates with npm, yarn, Maven, nuget, pip etc…

Repositories in domain – so use npm targetted at CodeArtifact. Is a proxy into npm. Good for

  • network security
  • cached – in case public repository disappears

Also can push own artifacts


CodeBuild

Managed build system.

Build specific environmental variables. Don’t need to know full list for AWS Developer Associate Exam

buildspec.yml in application root contains build config

Fully managed – scales automatically to meet peak demand

Limits

The maximum number of builds in the queue is five times the number of concurrent builds that can be run.

Security

Can encrypt build output artifacts by specifing a KMS customer managed key. Use environment variable CODEBUILD_KMS_KEY_ID


CodeCommit

Repository based on Git

Encrypted at rest and inflight by default

Authentication and access

https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control.html

Cannot use IAM username and password to access directly

Can generate SSH keys or Git Credentials from IAM

Notifications

Can be created in the console

will create an event rule which can be used to publish to SNS


CodeDeploy

Fully managed application deployment. Automatically scales

Types

  • In-place
  • Blue/Green

Supported Platforms

  • EC2
  • Fargate
  • Lamdba
  • On premise server

appspec.yml in the root directory of the application defines deployment config including

  • map source files to destination
  • custom permissions for deployed files
  • scripts to run at each stage of deployment
  • deployment preconditions i.e. what must be installed on deployed instances

appspec.yml for EC2/on premise deployment and Lambda

appspec.json for Lambda. EC2 and on premise not supported in this format

Deployment hooks

Used to run code or trigger events. In order ….

  • ApplicationStop
  • DownloadBundle
  • BeforeInstall
  • Install
  • AfterInstall
  • ApplicationStart
  • ValidateService – last deployment event. All below can’t be used to run deployment scripts
  • BeforeBlockTraffic
  • BlockTraffic
  • AfterBlockTraffic
  • BeforeAllowTraffic
  • AllowTraffic

CodeDeploy Agent

Installed on instances to be deployed.

  • archives application revisions
  • archives log files
  • cleans up disk space – :max_revision option in config

Can be installed on local machines to debug failing builds. Need buildspec file locally

Deployment Groups

Contains settings and config used for a deployment.

In EC2 or on premise deployments this can be a set of instances to deploy to


CodePipeline

Fully managed CI / CD solution.

  • source – CodeCommit, GitHub etc…
  • build – Jenkins, CodeDeploy
  • test
  • deploy – CodeDeploy, EB

Contrast to CodeDeploy – if question mentions CI / CD then favour this service

Output of stages are stored in S3 and are picked up by downstream services from S3 e.g. build output, project artifacts etc..

Use Cloud Watch Events to react to changes in the pipeline

Supported code sources

  • CodeCommit
  • S3
  • GitHub

CodeStar

Unifies CI/DC in one dashboard. Simplified management. Don’t get all config options.

Integrated issue tracking with Jira


Cloud Development Kit (CDK)

Programmatic variant of CloudFormation

Steps

  • Initialise templates cdk init
  • Write the code
  • Build (optional)
  • Synthesize the stacks (optional but good practice)
  • Deploy by cdk deploy

CloudFormation

Infrastructure as code. Declarative in JSON or YAML format.

Cannot be used for

  • Certificate Management
  • Server patching

Template Anatomy

Template anatomy details

  • Parameters – cannot have a condition
  • Conditions – defines conditions to be used elsewhere
  • Resources (only mandatory section)
  • Outputs – contains export field used for cross stack referencing
    • Export – unique name within region

Parameters

Supports the following parameters

  • String
  • Number
  • List<Number>
  • CommaDelimitedList
  • AWS::EC2::Keypair::KeyName – EC2 key pair name
  • AWS::EC2::SecurityGroup::Id – Security Group Id
  • AWS::EC2::Subnet::Id – Subnet id
  • AWS::EC2::VPC::Id – A VPC Id
  • List<AWS::EC2::SecurityGroup::Id> – Array of Security Group Ids
  • List<AWS::EC2::Subnet::Id> – Array of Subnet ids
  • List<AWS::EC2::VPC::Id> – Arrhay of VPC Ids

Intrinsic Functions

Pseudo Parameters

  • !GetAtt – used to retrieve values from earlier parts of template
  • !Ref
  • !ImportValue – imports an exported value from another stack
  • !Join – joins strings
  • !Sub – replaces in string
  • !FindInMap – looks up value in predefined mapping table

Pseudo Parameters

  • AWS::AccountId
  • AWS::Region
  • AWS::StackName
  • AWS::NoValue – removes resource when used in condition
  • AWS::CloudFormation::Stack – refers to a nested stack

Deployment

cloudformation package packages and uploads local artifacts e.g Lamdba code

cloudformation deploy executes changeset e.g. creates / updates AWS resources

Lamba code can be deployed in the AWS::Lambda::Function block by

  • Inline in the template if there are no third party dependencies
  • Zipped into S3 then the zip referenced in the template. This can have dependencies

Changesets used to identify changes for an update in the template

Enable Termination Protection to stop stack being deleted. Can still update the stack and remove resources in that way.

Deletion Policy is used to retain objects when template is changed or removed. Contrast to Amazom RDS DeletionProtection

{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Resources" : {
    "myS3Bucket" : {
      "Type" : "AWS::S3::Bucket",
      "DeletionPolicy" : "Retain"
    }
  }
}

Elastic Beanstalk

Simplified deployment of apps. Although it’s simplified there are heaps of options and it’s actually quite time consuming to learn.

Config

Saved configurations are stored in S3 buckets

Config is stored in app code under .ebextensions/mysettings.config

Config file sections

  • option_settings
  • resources
  • packages
  • sources
  • files
  • users
  • groups
  • commands
  • container_commands
  • services

Deployment Strategies

Details

  • All at once
  • Rolling
  • Rolling with additional batch
  • Immutable
  • Traffic Splitting
  • Blue/Green

Worker Environments

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html

Used for long running tasks e.g. video processing

Use cron.yml file to define cron jobs for repetitive tasks

Platforms

https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html

  • ‘Popular’ languages and frameworks (Python, Node, Go, .Net etc..)
  • Docker single container
  • Docker multi container
  • Custom – when EB doesn’t support a required language or framework e.g. C++

Linux 1 environments were replaced by Linux 2 environments in July 2022. AWS now recommends Buildfile, Procxfile and platform hooks to customise environments rather than ebextensions – though this is still supported. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.migration-al.html

Custom Platform

  • Build AMI from one of supported platforms (all Linux variants)
  • add customisations as desired
  • Create elastic beanstalk platform using Packer
  • root of application must include platform.yaml

Lifecycle policy

Set a lifecycle policy to remove old versions. Current version doesn’t count towards the total.

Limits

Source bundle for application upload must be < 512MB and be a ZIP or WAR


Serverless Application Model (SAM)

Templates to define serverless infrastructure as code. A simplified variant of CloudFormation

Resource Types

  • AWS::Serverless::Api – API Gateway
  • AWS::Serverless::Application
  • AWS::Serverless::Function – Lambda Function
  • AWS::Serverless::HttpApi
  • AWS::Serverless::LayerVersion
  • AWS::Serverless::SimpleTable – DynamoDB Table
  • AWS::Serverless::StateMachine

To use

  • Develop template locally
  • sam deploy command. This zips application artifacts, uploads to S3 then deploys application to AWS

Security

Photo by Calvin Hanson on Unsplash

Managing access and security to your infrastructure. A central concern in the exam. Know it in detail.


AWS Certificate Manager (ACM)

SSL/TLS server certificate management

Can automatically renew


AWS Security Token Service (STS)

Use to request temporary credentials. Created by GetSessionToken call

Gives temporary access to AWS service via access key, ID, secret access key and security token) AssumeRoleWithWebIdentity

get-federated-token – retrieve token for federation

Also decode auth error messages decode authorisation messages

Global service

Limits

Expiry on assumed credentials

  • Minimum 15 minutes
  • Maximum 1 hour
  • Default 1 hour

Cognito Identity Pools

Grant users temporary access to other AWS resources

Supports guest access


Cognito Sync

Cross device syncing of user data for mobile or web


Cognito User Pools

AWS authentication – can use a third party federated provider but the users themselves are managed by AWS

Can be used to track and remember devices. Can use this to limit number of devices that a user can stream content from e.g. Netflix.

Can add MFA to a user pool


Identity and Access Management (IAM)

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

User and permission management. Global service

Can be used for limited certificate management – only use when region doesn’t support ACM

Might route traffic preferentially to higher capacity instances

Identities

Users, Groups and Roles

Identity Policy

Attached to user, group or role

AWS Managed, Customer Managed or Inline

Examples of policies

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullAccess",
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": ["*"]
        },
        {
            "Sid": "DenyCustomerBucket",
            "Action": ["s3:*"],
            "Effect": "Deny",
            "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
        }
    ]
}

Further examples here

Resource Policy

Full list of services that work with IAM

For AWS Developer Associate exam know

  • EC2
  • ASG
  • Elastic Beanstalk
  • ELB
  • Lambda

Trust Policy

Which IAM entities can assume this role. Only type of resource based policy in IAM

Permission Boundaries

Sets maximum permissions for an entity (user or role)

AWS Organisations Service Control Policy (SCP)

Defines maximum permissions for entities in an Organisational Unit within an Account

Cross Account Access

Use sts:AssumeRole – example Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::AccountB_ID:role/ROLENAME"
        }
    ]
}

Cross account access does not work across partitions

Example

User on account A wants to access Database on Account B

  • IAM role in account B with access to database
  • Amend trust policy on above IAM role to allow accoutn A to assume it
  • Update policy on account A user to allow it to assume role from account B

Tools

IAM Policy Simulator

Tests acess on a per account basis

IAM Access Analyzer

  • Identifies resources that are shared outside a given boundary (i.e. an organisation or an account)
  • Validate policies – grammar and best practices
  • Generates policies from a CloudTrail

Access Advisor – On IAM console. Identifies unused roles over a given time period

--dry-run flag on CLI can be used to test if have required permissions for the action

Certificate Manager

IAM can be used as a certificate manager. Use only when ACM is not available in a region. Certificates must be obtained from an external provider.


Key Management Service (KMS)

Encryption key management

Supports automatic key rotation

Amazon Managed and Customer Managed Keys

Configuration

Key can be locked to one region. Single region by default

Key policies control which account / service can use the key and for what

Envelope Encryption

Use for encrypting target data. The data key itself is encrypted with generate-data-key which returns a plaintext data key and an encrypted key. The plaintext key is used to encrypt the data outside of KMS and the discarded. The encrypted datakey is then stored along with the encrypted data within KMS.

Envelope encryption is used to

  • Encrypt items > 4KB
  • Encrypt a data encryption key for greater security

CLI

encrypt

decrypt

re-encrypt – used to swap encryption keys

enable-key-rotation – configures key rotation

Limits

Maximum data size is 4KB. For anything over this Envelope encryption is used.


Secret Manager

Stores sensitive data such as user names and passwords

Can automatically rotate secrets

Integrates with RDS, Amazon Redshift and Amazon DocumentDB so can change credentials of those services automatically


SSM Parameter Store

AWS Systems Manager Parameter Store

Can be secrets and stored as SecureString but no automatic rotations. Contrast with Secret Manager


Other Services

These services come up in the AWS developer exam but often as distractors. They are less likely to be the correct answer. Knowlege of the details are not needed

  • Amazon Inspector – automated security assessment
  • Amazon Redshift – data warehousing
  • Amazon EMR – big data
  • AWS Batch – runs batch jobs and provisions resources
  • AWS Data Pipeline – moving data between sources and targets
  • AWS Global Accelerator – network service to improve traffice performance
  • AWS Glue – extract,transform, load
  • AWS Trusted Advisor – guidance on security, fault tolerance, cost optimisation
  • AWS Web Application Firewall (WAF) – Firewall – can deploy on CloudFront or Application Load Balancer.
  • CodeGuru – ML powered service for code reviews and preformance recommendations
  • Serverless Application Repository (SARS) – Marketplace for serverless apps
  • Systems Manager (SSM) – used to group and manage resources
  • Simple Email Service (SES) – email sending

And if you have to guess…

Here are a few tips and broad rule of thumbs for the exam. When you are forced to take educated guesses then these might improve your odds of guessing right.

Rules of thumb

  • Root account shouldn’t be used routinely – it’s almost always the wrong answer to use the root account for anything – exceptions CloudFront access keys and these have now been superceded by key groups anyway
  • Anything that looks like an error condition is probably the wrong answer e.g. command line use results in erratic behavour
  • Similarly, if an answer is that an AWS service is down or unavailable for some reason that is almost certainly the wrong answer. AWS never goes down.
  • Most things (but by no means all) work within a region so guess the option that doesn’t cross regions if you have to. Not a great guess but you are playing the odds here.
  • It’s very rarely the right answer to contact AWS helpdesk. An exception could be if you wanted the soft limit on a service raised
  • Exponential backoff is preferred for throttling issues across a number of services
  • Generally if something seems insecure it’s probably wrong e.g. unecrypted disks and inflight http messages
  • It’s not a bad guess to say that something used by a service is uploaded to S3 as an intermediate stage (rather than uploaded elsewhere such as EBS, CodeCommit, EC2 etc…). Services that do this include CodePipeline, CloudFormation, SAM etc….

Bad practice

If you can identify something as dodgy practice then you can rule it out as an answer. Examples …

  • Sharing credentials
  • Making S3 buckets public without a good reason
  • Routing VPC traffic over the Internet without a good reason
  • passwords in code or clear text
  • giving unnecessary permissions – principle of least privilege

Legacy options

Certain options are legacy or are generally not a favoured option by the AWS Developer Exam so don’t pick these unless you are certain. Examples …

  • Classic Load Balancer. Prefer ALB or NLB
  • SWF. Prefer Step Functions for stateful workflow management
  • ASG Step scaling. Prefer target tracking scaling policies
  • CognitoSync. Prefer AppSync

And as I said at the beginning, good luck!

Additional Useful Links

Additional information useful for AWS Developer Exam

Well Architected Framework
https://aws.amazon.com/architecture/well-architected

Global vs Regional resources
https://jayendrapatil.com/aws-global-vs-regional-vs-az-resources/

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *