What is cloud computing and why should we embrace it?

Benefits of cloud computing

CAGE – C(cost)A(agility)G(global deploy)E(elasticity)

  1. Cost Savings:
    1. The cloud allows you to trade capital expenses such as data centers and physical servers for variable expenses, and only pay for IT services as you consume it.
    2. Variable expenses are much lower than what you would pay to do it yourself because of the economies of scale.
  2. Agility:
    1. The cloud gives you easy access to a broad range of technologies so that you can innovate faster and build almost anything that you can imagine.
    2. You can quickly spin up resources as you need them–from infrastructure services, such as compute, storage, and databases, to platform as service to software as service to Internet of Things, machine learning, data lakes and analytics, and much more.
    3. You can deploy technology services in a matter of minutes, and get from idea to implementation several orders of magnitude faster than before.
    4. This gives you the freedom to experiment, test new ideas to differentiate customer experiences, and transform your business.
  3. Deploy globally in minutes:
    1. With the cloud, you can expand to new geographic regions and deploy globally in minutes.
    2. This enables you to comply with rules and regulations of countries which mandate you to have the servers locally.
    3. Having applications in closer proximity to end users reduces latency and hence improves customer experience.
  4. Elasticity:
    1. With cloud computing, you don’t have to over-provision resources up front to handle peak levels of business activity in the future.
    2. Instead, you provision the amount of resources that you actually need.
    3. You can scale these resources up or down at the touch of a button to  grow or shrink capacity as your business needs change.

Types of cloud computing

The three main types of cloud computing include Infrastructure as a Service, Platform as a Service, and Software as a Service. Each type of cloud computing provides different levels of control, flexibility, and management so that you can select the right set of services for your needs.
  1. Infrastructure as a Service (IaaS):
    1. IaaS contains the basic building blocks for cloud IT.
    2. It enables access to networking features, computers (virtual or on dedicated CPU/memory), and data storage space.
    3. Supports Intel, AMD, ARM CPs,  NVIDIA GPUs etc.
  2. Platform as a Service (PaaS)
    1. PaaS removes the need for you to manage operating systems, and allows you to focus on the deployment and management of your applications.
    2. Many OS’s including various Linux, Windows, MAC OS
    3. you don’t need to worry about resource procurement, capacity planning, software maintenance, patching.
  3. Software as a Service (SaaS)
    1. SaaS provides you with a complete product that is run and managed by the service provider.
    2. Examples include managed database services, managed file servers, managed server less lambda  functions, managed NoSQL such as DynamoDB.
    3. With a SaaS you don’t have to think about how the software service is maintained, patched or how the underlying infrastructure is managed. You only need to think about how you will use that particular software.


My day at the AWS CSAA (Released February 2018) certification exam

Finally I sat for the exam

After preparing for almost two months, I mustered enough confidence and enrolled for the exam.  Booked the 8 AM slot on Tuesday April 17th. Wrote and passed the exam and waiting for the final certificate.

Before the exam

Do some yoga/meditation/deep breathing or something similar of your choice. This helps you relax, concentrate and refresh your memory. Go early if they are open. This way you can start early exam. No need to wait till the time on your schedule. You can start early and finish early if the terminals are available to use. Arrived at 7:30 AM and started my test 5 minutes earlier.

After arriving at the test center

My exam center was in Kondapur, Hyderabad, INDIA on a busy commercial street with lots of vehicular traffic. As soon I got in  the receptionist greeted me and I was seated. Few minutes later I was asked for IDs. I had laminated copies but they wanted originals. Told them I laminated the originals which he accepted. He also looked at my credit cards/PAN/Aadhaar cards.

They asked me sign on a sheet of paper, asked me to empty everything, watch, keys, coins, wallet, phone, hand kerchief into the locker and locked it and I kept the key. Oh, he even checked my eye glasses and approved they are acceptable. Very thorough process. I was impressed and actually thought about the AWS security and trying to compare with it 🙂

Exam room was at the corner, a separate isolated room with five chairs and terminals. Very clean with good lighting and AC. AC was little cooler so I asked them to increase the temperature which they kindly complied. They had a small scratch board available for scribbling.

The 15 inch LCD monitor was bright enough but I complained that it was dirty, so they came and tried to wipe it but of no use. They said they were marks from scratch pad marker which I think was the case.

The room was supposed to be sound proof but as soon as I started the exam, I got distracted by someone talking on the phone loudly. In here, people are on the louder side and on top of it the cellphone signals are week. So you can’t really blame them with all the ambient noise from traffic/cars honking etc. one has to talk loud. I complained and they quickly gave me ear plugs which did 70% of the job but I could still hear some times. This is where your meditation skills help I think 🙂

Data connectivity: It was bad where I gave my exam. There was a one or two second latency when you click on the answer before it says “Communicating” and go to the next question. Also two times during the exam, the data connectivity was totally lost. I had to call them in and they had to exit and re-login. When the data connection was restored, the clock started from where it stopped and took me to the last position.  All my answers were saved intact to the server so I can continue from where I left. Ideally you should use interruption this to take your break so there won’t be any lost time. When you go to restroom and come back, they will empty your pockets to check you again and make you sign on the sheet.

The Exam

English grammar, keywords, singulars/plurals and tenses

My mother tongue is not English but I consider myself very proficient in English. The exam I think is skewed towards people proficient in languages (English in this case) and grammar. Many questions were very subtle. You need to read every keyword in the question and understand the significance of the keyword to the overall meaning of the question and to the choice of the correct answer. Keywords are either technical (example: indexed data) or plain English language such as “customer is willing to move”.  Grammatical importance is high. For example you need to understand the difference between singular (eg. EC2) and plurals (eg. EC2s).

Even the answers had many subtle keywords that you must pay attention to. These keywords sometimes directly map to one of the five pillars of the well architected design framework and sometimes to the very meaning of the context. Its very easy to make silly mistakes even though you know the concept and are an AWS guru, if you don’t pay attention to the keywords. I changed my answers to atleast half a dozen questions after I finished and went back to review. The subtleties were really clear once you re-visit the question and the corresponding answer the second or third time.

Difficulty level of my exam

This exam was probably the most difficult one (barring the A Cloud Guru final exam :-)) I ever attempted. Many Whizlabs tests (2018 February version) I took, I got all most all correct but its extremely difficult to score like that here.

Many difficult questions appeared in the first quarter of the test which makes you feel you will never be able to finish it on time. But once I flagged the difficult ones and moved on, the questions got simpler and straight forward with single one-word answers. Stayed at this level for a while, till I reached question 45 or so then they got difficult again and continued till the end. I have to say the technical difficulty is 8 or 9 out of 10 and there is this language difficulty which I’d rate at 8 out of 10. In my opinion its good to make it difficult and keep the curve up and maintain the value of this certification. Hats off to Amazon for creating such a wonderful and enjoyable yet extremely challenging question bank.

How I used my time after the clock started

  • Total time given was 130 min for 65  AWS questions
  • Another 5  feedback and rating questions were given at the end after completion of the exam with additional time
  • Spent around 80 min to finish all 65 questions with 15 flagged for review.
  • Went back to those 15 and spent 30 minutes and changed answers on 4 or 5 of them
  • I was left with 20 min and went back to all the unflagged questions starting from question number one. Was able to review till question number 48 or so before time was up. Glad I did this exercise since I changed the answers on atleast 3 items
  • Lost data connection two times and they had to exit and re-login and it will start from where you lost the internet.

Some of the questions that appeared in my exam

To comply with Amazon’s terms and policies I am only giving you the summaries and types of questions appeared in my exam, grouped into topics. I highlighted the keywords in bold. Most of the questions were directly referring to one of the five pillars of Well Architected Framework. You need to match the keywords in the question to one of the pillars then the answer will be obvious.

  1.  EBS
    1. If my App needs large sequential I/O what to use?
      1. Answer: use Throughput Optimized HDD (st1).
      2. Pillars: Cost effective Pillar and  High performant architecture pillar
    2. If my App needs write intensive, small, random I/O  how to design to improve i/o performance?
      1. Answer:  RAID 0 stripe multiple EBS volumes together for high I/O performance was the best available choices since there was no choice given for Provisioned IOPS volumes.
      2. Pillars: Cost effective Pillar and  High performant architecture pillar
    3. Your on premises server has application using proprietary file system. How do you migrate to AWS?
      1. Answer: Use EBS volumes with EC2. Other choices included EFS, Stored Volumes etc. Keyword is proprietary file system since EFS supports NFS and stored volumes support iSCSI.
      2. Pillar: Operational Excellence Pillar
  2. CloudWatch
    1. EC2 calls API on behalf of users (did not mention what API or which users. Assume AWS API and IAM users). How to monitor when API calls 1) reach >5 per second 2) >3000/hour 3)Count of API calls by user
      1. Two Multiple Answers: Enable CloudTrail and Use Custom CloudWatch metrics to monitor API calls. Wrong choices included CW Metrics (custom keyword missing), CW Logs etc.
      2. Pillar: Operational Excellence
  3. CloudTrail
    1. Question about Enabling CloudTrail automatically for future regions using turning on CloudTrail for All Regions
  4. CloudFront
    1. EC2 web server is serving static and dynamic content. Due to this you are getting high CPU utilization. How to reduce the load?
      1. Answer: Use cloudfront with EC2 origin. Wrong choices included not so obvious ones such as cloudfront with url signing, elasticache
      2. Pillar: Performance
    2. How to serve private S3 content from CloudFront?
      1. Answer: By using Origin Access Identifier for S3 and URL signing. The keyword here is “private” hence you need to disable public access to the S3 bucket and allow only OAI from CF to access. URL signing is must since you don’t want people to reuse the urls as they expire after sometime.
      2. Pillar: Security, Performance
  5. RDS
    1. On premise db needs to be migrated to AWS. Requirement is redundant data for DR in three Availability Zones. How to achieve?
      1. Answer: AWS RDS Aurora. Since the keyword is 3 AZs. Choices included RDS MySQL with Multi AZ, DynamoDB, RedShift etc.
      2. Pillar: Reliable Pillar
  6. Elasticache
    1. Need to design web session storage for million user web site, what do you recommend?
      1. Answer is elasticache. Other choices that are not good: Redshift, S3, EFS, RDS etc.
      2. Pillars: Performance Efficiency pillar
    2. Many questions came up, where elasticache was present as one of the choices but it was not the correct choice based on the keywords.
      1. For example you need a data storage for key/value and JSON documents with unlimited capacity and highly scalable, where DynamoDb is the correct choice since unlimited capacity and scaling is needed.
  7. Cognito
    1. Need to design and develop quickly a mobile application solution to let users login with MFA. What do you suggest?
      1. Answer is Cognito as it supports ready to use identity management solution and provides MFA thru SMS. Wrong choices included RDS, S3 policies (to bait you for MFA), IAM etc.
      2. Pillars: Security, Cost Optimization
  8. S3
    1. How to access S3 privately from on premises VM’s connected via VPN to AWS. Choices included S3 VPC endpoint via AWS EC2 proxy, IP Whitelisting CGW, IP Whitelisting VPG.
      1. Answer: Not sure. Recommend reading and understanding S3 private connections (by pass internet) from VPNs and VPCs
      2. Pillar: Security
    2. How to access S3 from VPC private subnet?
      1. Answer: VPC endpoint. Other choices included NAT Gateway, Internet Gateway etc
      2. Pillar: Security and Cost pillars
    3. Only CEO needs to access daily reports on S3 which are very confidential. How to provide this?
      1. Answer: S3 presigned URLs. Choices included AWS KMS key encryption, AWS S3 Key encryption, MFA, IAM Roles etc.
      2. Security Pillar
  9. SQS
    1. Mission critical Order processing system to be designed on EC2 using ELB/Auto Scaling. How do you decouple?
      1. Answer: SQS. Wrong choices included SNS, SES etc. but did not include SWF hence SQS is better option among the available ones.
      2. Pillars: Reliability pillar
  10. Lambda
    1. After user uploads an image, EC2 copies it to S3 then another EC2 constantly checks S3 and retrieves image and processes and copies the resultant image to another bucket. What do you recommend to re-design decoupled?
      • Answer: Use Lambda since they mentioned re-design and de-couple. Other choices included SNS, SES etc. but no SQS. So Lambda was the best choice.
      • Pillars: Reliability pillar
    2. EC2 has a script that runs hourly to download new files from S3 and process. How do you improve this for availability?
      1. Answer: Invoke Lambda when a new file is created on S3
      2. Pillar: Reliability and Performance pillars
  11. Kinesis
    1. Car rental agency needs to monitor GPS locations from all cars to make sure they are not driven too far. If they get few thousand data points every hour how to process this data?
      • Answer: Use Kinesis Firehose and store in S3 and analyze. Keyword to understand is every hour, meaning its a data stream coming in 24/7. None of the other choices (EC2, SQS, Lambda) have streaming data features
      • Pillars: Reliability Pillar (Data loss is not acceptable)
  12. Application Load Balancer:
    I got 3 or 4 questions on this topic and relating to the choice of ALB over CLB. Luckily I was reading the same topic on AWS documentation in the morning and I was able to answer correctly.

    1. A set of EC2 instances are running a set of web services using different ports. How do you balance the load?
      1. Answer: ALB. Since multiple web services are running across multiple ports spanning multiple EC2s. CLB can’t distinguish by port and CLB can balance a single service.
      2. Pillars: Reliability Pillar
    2. A three tier web application is using ELB as front end, web tier running on EC2 instances and db tier running on RDS instances. How can you introduce fault tolerance?
      1. Answer: Classic ELB in front of EC2s. The takeaway keyword here is instances (plural). There was one reasonably good looking choice “CLB in front of RDS instances” but then I remembered CLB can only balance web traffic and not RDS traffic.
      2. Pillars: Reliability Pillar
  13. DynamoDB
    1. You have 60 TiB indexed data which is growing exponentially, that you want to move to AWS. Which unlimited durable storage would you recommend?
      1. Answer: DynamoDB since the keyword indexed suggests that this data is indexed and searchable/queryable. Other choices included RDS, S3 etc. Unlimited and durable apply to S3 as well but DynamoDB is better than S3 for indexed data.
      2. Pillar: Reliability Pillar
    2. In house MySQL is unable to perform even with the highest available CPU/Memory configuration. This system reads small 400 kb data items,  one record at a time. Customer willing to move to a new architecture. What do you suggest?
      1. Answer: DynamoDB since keywords “one record” and “small items” is used meaning JOINS are not performed. The language keyword here is “willing to move” meaning they are ok to go from relational to NoSQL
  14. EC2
    1. Which EC2 would you recommend for cost effective servers that you will use for the next three years continuously at the same capacity? A) Regional Standard Reserved Instances B) Regional Convertible Instances C) Standard Reserved Instances
      1. Answer: Please read Jeff’s blog post and understand the minute details. I think I made a mistake here. Did not expect such complicated, in depth question in an associate level exam.
      2. Pillar: Cost effective pillar
    2. IAM role for EC2 question. Simple and straight forward.
    3. What would you recommend to run batch processes every Mon/Thu/Fri from 10 to 12?
      1. Answer: Scheduled EC2
      2. Pillar: Cost effective pillar
  15. VPC
    1. How to access S3 from VPC private subnet?
      1. Answer: VPC endpoint. Other choices included NAT Gateway, Internet Gateway etc
      2. Pillar: Security and Cost pillars
    2. Three tier application with ELB, web servers and db servers need to have no internet connectivity from tier 2, 3
      1. Answer: ELB in public subnet, Web servers in private subnet and db servers in private subnet
      2. Pillar: Security pillar
  16. Bastion Host 2 questions
  17. NAT 4 questions
    1. You have a NAT and EC2 instances in private subnet. How to make is more Reliable?
      1. Answer: Add NAT’s in all AZs
      2. Pillar: Reliable Pillar
    2. Migrating from NAT instance with custom scripts that perform auto scaling. What do you recommend?
      1. Answer: NAT gateway in all AZs
      2. Pillar: Reliable Pillar
    3. Basic question about Private EC2 needing to access internet for patches. How to achieve this?
      1. Answer: Use NAT Gateway. Choices included all gateways such as NAT GW,  IGW, VPG, Customer GW etc.
      2. Pillar: Scalable Performant Architecture
  18. EFS
    1. Your auto scaling group runs 10 to 50 Linux instances that need to have access to common storage which is mountable. What do you recommend?
      1. Answer: Common and mountable keywords imply EFS
  19. Route53
    1. One question relating to Failover policy
  20. ECS
    1. Need to design system running on docker containers that need orchestration.
      1. Answer: ECS
  21. Storage Gateway
    1. Your legacy app using iSCSI needs to have storage solution on AWS for all new storage
      1. Answer: Cached Volumes since new keyword is used meaning all the new data must be stored on AWS. Stored volumes is a wrong choice here since with SV, you store all new data locally with a backup on AWS for redundancy purpose only.

I wish I read before the exam

As part of my two month long preparation, I read the AWS CSAA official study guide (bought kindle edition), subscribed and finished A Cloud Guru videos and sample tests and completed all quizzes in WhizLabs. One thing I noticed today, all the complicated questions had answers in Jeff Barr’s blog. Wish I read all his blog posts before taking the exam. Must read if you are taking February 2018 released exam since this exam targets many newer topics which are not covered in the older exam.


Cloudtrail Logs

  1. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
  2. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
  3. Cloud Trail is for auditing. Totally different from CloudWatch. Cloud trail logs all changes (create user, delete user, launch EC2 delete bucket etc) to your AWS account’s resources so you can go and see what changed when by who. AWS CloudTrail publishes events when you make API calls.
  4. CloudWatch or CloudTrail? Amazon CloudWatch focuses on performance monitoring and system health. CloudTrail focuses on API activity
  5. CloudTrail logs get saved with encryption to S3 or CloudWatch Logs.
    1. The configuration settings for the trail apply consistently across all regions.
    2. You receive CloudTrail events from all regions in a single S3 bucket and optionally in a CloudWatch Logs log group.
    3. You manage trail configuration for all regions from one location.
    4. You immediately receive events from a new region. When a new region launches, CloudTrail automatically creates a trail for you in the new region with the same settings as your original trail.
    5. You can create trails in regions that you don’t use often to monitor for unusual activity
  6. An event in CloudTrail is the record of an activity in an AWS account.  CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
  7. There are two types of events that can be logged in CloudTrail:
    1. management events and data events. By default, trails log management events, but not data events.
    2. Both management events and data events use the same CloudTrail JSON log format. You can identify them by the value in the managementEvent field.
    3. Data events provide insight into the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. Example data events include:Amazon S3 object-level API activity (for example, GetObjectDeleteObject, and PutObject API operations). AWS Lambda function execution activity (the Invoke API).
  8. CloudTrail event history provides a viewable, searchable, and downloadable record of the past 90 days of CloudTrail events. You can use this history to gain visibility into actions taken in your AWS account
  9. AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions. Use IAM to create individual users for anyone who needs access to AWS CloudTrail.
  10. If you have different but related user groups, such as developers, security personnel, and IT auditors, you can create multiple trails per region. This allows each group to receive its own copy of the log files
  11. For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, Amazon CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region.

AWS Well-Architected framework (February 2018 CSAA Exam)

The Well-Architected framework has been developed to help cloud architects build the most secure, high-performing, resilient, and efficient infrastructure possible for their applications. This framework provides a  consistent approach for customers and partners to evaluate architectures,  and provides guidance to help implement designs that will scale with your  application needs over time. Following are the five pillars of well architected framework.

  1. Resilient Architecture Pillar (FARMD)
    1. Fault tolerant: Multi AZ RDS, Route 53 failover policies, ELB health checks
    2. High Availability by spreading across Availability Zones (Using ELB with health checks, Route 53 failover routing etc)
    3. Resilient/reliable storage (S3 is inherently reliable. Use multi AZ deployment in RDS for Disaster Recovery)
    4. Multi tier architecture (ELB/CloudFront tier, web/app tier, data tier)
    5. Decouple system components to avoid single point of failure (use SQS/SWF)
  2. High performant architecture Pillar (SECRI)
    1. Scalability: Scaling up/down by using proper instance types with desired amount of cpu/memory
    2. Elasticity: Scaling out/in with increase/decrease number of instances, load balancing and auto scaling features
    3. Cacheing (Elasticache, Aurora Cache, Cloud Front with edge locations, S3 transfer acceleration)
    4. Read replicas: High performance DB tier
    5. IOPS: High performance storage (Provisioned IOPS EBS or standard burstable EBS )
  3. Security Pillar
    1. WAF, VPC ACLs, Security Groups
    2. Bastion hosts for accessing EC2s in private subnets thru SSH/RDS
    3. NAT gateway/instances for downloading patches from internet for EC2 instances inside private subnets
    4. Principal centric security (IAM policies)
    5. Resource centric security (Bucket policies, origin access identities)
    6. Encryption in flight and at rest
    7. Key rotation, MFA, EC2 instance profiles with IAM roles, STS
  4. Cost effective design Pillar
    1. Application tier (spot instances, scaling down, scheduled stop/start)
    2. Storage tier
      1. Using appropriate storage types eg: Glacier vs S3 RR vs S3.
      2. Using standard HDD as opposed to SSD  for web tier for small and medium businesses
      3. Deleting unused/unnecessary snapshots, AMIs, S3 objects/buckets
      4. Reduce RDS automatic daily backups
    3. Data transfer
      1. Using VPC endpoints for S3 access to reduce data transfer costs
      2. Transfer using private ips within a AZ for getting local transfer rates
    4. Data/service request costs
      1. S3 or API gateway requests are measured and billed
      2. Using cloud front in front of S3 to reduce S3 requests
      3. Use long polling SQS
  5. Operational Excellence Pillar
    1. Perform operations as code using cloud formation etc
      1. define your entire workload (applications, infrastructure, etc.) as code and update it with code.
      2. You can script your operations procedures and automate their execution by triggering them in response to events.
      3. By performing operations as code, you limit human error and enable consistent responses to events. Also repeatable.
    2. Annotated documentation
      1. you can automate the creation of annotated documentation after every build (or automatically annotate hand-crafted documentation).
      2. Annotated documentation can be used by humans and systems.
      3. Use annotations as an input to your operations code. Example: Tagging all development EC2’s with simple tag different from production EC2’s
    3.  Make frequent, small, reversible changes:
    4. Refine operations procedures frequently:
      1. As you use operations procedures, look for opportunities to improve them.
      2. As you evolve your workload, evolve your procedures appropriately.
    5. Anticipate failure
      1. Perform “pre-mortem” exercises to identify potential sources of failure so that they can be removed or mitigated.
      2. Test your failure scenarios and validate your understanding of their
      3. Test your response procedures to ensure they are effective and that teams are familiar with their execution.
    6. Learn from all operational failures and Share what is learned across teams and through the entire organization.
    7. Use AWS Support
      1. AWS Cloud Compliance enables you to understand the robust
        controls in place at AWS to maintain security and data protection in the cloud.
      2. AWS Trusted Advisor provides real-time guidance to help you
        provision your resources following AWS best practices.
      3. Business Support provides access to the full set of Trusted Advisor
        checks and guidance for following AWS best practices.
      4. Enterprise Support customers also receive support from Technical
        Account Managers (TAMs)

AWS CSAA – Released February 2018 Exam Questions

  • Only the launch configuration name, AMI, and instance type are needed to create an Auto Scaling launch configuration. Identifying a key pair, security group, and a block device mapping are optional elements for an Auto Scaling launch configuration.
  • An Elastic Load Balancing health check may be a ping, a connection attempt, or a page that is checked. Not a status check.
  • Programmatic access to AWS services is authenticated with an access key, not with user names/passwords. IAM roles provide a temporary security token to an application using an SDK.
  • Which of the following techniques can you use to help you meet Recovery Point Objective (RPO) and Recovery Time Objective (RTO) requirements? (Choose 3 answers)
    • DB snapshots allow you to back up and recover your data,
    • read replicas and a Multi-AZ deployment allow you to replicate your data and reduce the time to failover.
  • The main difference between Amazon SQS policies and IAM policies is that an Amazon SQS policy enables you to grant a different AWS account permission to your Amazon SQS queues, but an IAM policy does not.
  • After a message has been successfully published to a topic, it cannot be recalled.
  • The CNAME record maps a name to another name. It should be used only when there are no other records on that name.
  • You either transfer the existing domain registration from another registrar to Amazon Route 53 to configure it as your DNS service or change NS records to point to Route 53 name servers
  • Redis clusters can only contain a single node; however, you can group multiple clusters together into a replication group.
  • Amazon ElastiCache is Application Programming Interface (API)-compatible with existing Memcached clients and does not require the application to be recompiled or linked against the libraries. Amazon ElastiCache manages the deployment of the Amazon ElastiCache binaries.
  • When the clients are configured to use AutoDiscovery, they can discover new cache nodes as they are added or removed. AutoDiscovery must be configured on each client and is not active server side. Updating the configuration file each time will be very difficult to manage. Using an Elastic Load Balancer is not recommended for this scenario.
  •  “popular” and supports “users around the world,” key indicators that CloudFront is appropriate.  “heavily used,” and requires private content, which is supported by Amazon CloudFront. Corporate use cases where the requests come from a single geographic location or appear to come from one (because of the VPN). These use cases will generally not see benefit from Amazon CloudFront.
  • You have a web application that contains both static content in an Amazon Simple Storage Service (Amazon S3) bucket—primarily images and CSS files—and also dynamic content currently served by a PHP web app running on Amazon Elastic Compute Cloud (Amazon EC2). What features of Amazon CloudFront can be used to support this application with a single Amazon CloudFront distribution? (Choose 2 answers)
    • Using multiple origins and setting multiple cache behaviors allow you to serve static and dynamic content from the same distribution.
    • Origin Access Identifiers and signed URLs support serving private content from Amazon CloudFront,
    • multiple edge locations are simply how Amazon CloudFront serves any content.
  • AWS KMS CMKs are the fundamental resources that AWS KMS manages. CMKs can never leave AWS KMS unencrypted, but data keys can
  • Encryption context is a set of key/value pairs that you can pass to AWS KMS when you call the Encrypt, Decrypt, ReEncrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext APIs. Although the encryption context is not included in the ciphertext, it is cryptographically bound to the ciphertext during encryption and must be passed again when you call the Decrypt (or ReEncrypt) API. Invalid ciphertext for decryption is plaintext that has been encrypted in a different AWS account or ciphertext that has been altered since it was originally encrypted.
  • The Amazon Kinesis services enable you to work with large data streams. Within the Amazon Kinesis family of services, Amazon Kinesis Firehose saves streams to AWS storage services, while Amazon Kinesis Streams provide the ability to process the data in the stream.
  • By default, network access is turned off to a DB Instance. You can specify rules in a security group that allows access from an IP address range, port, or Amazon Elastic Compute Cloud (Amazon EC2) security group.
  • When you choose AWS KMS for key management with Amazon Redshift, there is a four-tier hierarchy of encryption keys. These keys are the master key, a cluster key, a database key, and data encryption keys.
  • Elastic Load Balancing supports the Server Order Preference option for negotiating connections between a client and a load balancer. During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client’s list that matches any one of the load balancer’s ciphers is selected for the SSL connection. If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client’s list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.
  • Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without transmitting actual data.
  • An instance profile is a container for an IAM role that you can use to pass role information to an Amazon EC2 instance when the instance starts.
  • The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS Software Development Kits (SDKs), those tools automatically sign requests for you based on credentials that you specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.
  • The shared responsibility model can include IT controls, and it is not just limited to security considerations. Therefore, answer C is correct.
  • AWS provides IT control information to customers through either specific control definitions or general control standard compliance.
  • By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.

Security on AWS

  1. EC2 Instance Profile (IP)
    1. When you create a role in IAM using console, AWS automatically creates a EC2 instance profile with the same name and associates the role with the instance profile. Remember, the names may be same but instance profile and IAM role are two different things.
    2. When you use CLI or SDK API to create IAM Role, you have to create a Instance profile separately, with a name of your choice.
    3. You select EC2 instance profile (not a role) from a list of existing profiles to launch a EC2 (you don’t choose IAM roles)
    4. An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles.
  2. EC2 Security
    1. RSA 2048 SSH-2 public/private key pairs are used (don’t confuse these keys with data encryption keys such as the ones provided by S3 or those saved in KMS)
    2. Public key(s) are stored in AWS and used when launching an EC2 instance. Corresponding private key must be saved and protected by you.
    3. Linux uses public key in the EC2 and SSH client needs private key to SSH
    4. Windows: Private key used by console to decrypt admin password
  3. EBS Security
    1. EBS volumes are stored redundantly in the same AZ
    2. Can be optionally encrypted using AES-256
    3. Data is encrypted/decrypted as it moves between EC2 instance and EBS storage
    4. Create Snapshot does not encrypt if source volume is not encrypted
    5. Create AMI does not encrypt if source EC2 has unencrypted volumes.
    6. Snapshots and AMIs can be encrypted (check box) while copying from unencrypted snapshots or AMIs.
  4. ELB uses TLS   
  5. CloudTrail logs are encrypted by default and stored in S3 buckets
  6. CloudFront No encryption 
    1. You create Origin Access Identities in CF and associate these with your distributions
    2. Supports signed URLs to control who can access content
  7. S3
    1. At rest optionally uses  SSE and client libraries to encrypt data
    2. In flight uses SSL
  8. Glacier
    1. At rest automatically uses AES-256 to encrypt data
    2. In flight uses SSL
  9. Storage gateway
    1. Asynchronous transfer from on premise software appliance to S3
    2. At rest automatically uses AES-256 to encrypt data and store in S3
    3. In flight uses SSL
  10. DynamoDB: Fine grain security at row and column level. Encryption at rest can be enabled only when you are creating a new DynamoDB table. After encryption at rest is enabled, it can’t be disabled. Uses AWS KMS for key.
  11. RDS
    1. RDS Security Groups (different from EC2 security groups)
    2. In flight uses SSL
    3. Optional encryption at rest for all database engines supported
  12. Redshift
    1. database user permissions are allowed per cluster basis (not per table basis)
    2. uses 4 tier key based architecture to encrypt data using AES-256 at rest
      1. database key
      2. data encryption keys
      3. cluster key
      4. master key
  13. Elasticache
    1. uses “Cache security groups” to control access to cache clusters
  14. SQS
    1. Data is NOT automatically encrypted
    2. User can encrypt data before sending to SQS and consumer needs decrypt
  15. SNS
    1. topic owners can set permission on topics and control who can publish/subscribe these topics
  16. EMR
    1. Uses two EC2 security groups one for master nodes and another for slave nodes
    2. Input data can be encrypted before uploading to S3
    3. You will need to add a decryption step to the beginning of your job flow when EMR fetches data from S3
  17. Kinesis
    1. Kinesis API is only accessible thru SSL endpoints
  18. Workspaces
    1. uses PCoIP protocol

Cloud Formation

  1. Infrastructure as code (JSON or YAML)
  2. AWS CloudFormation is an AWS service that helps you model and set up your Amazon Web Services resources.
  3. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you.
  4. You don’t need to individually create and configure AWS resources and figure out what’s dependent on what
  5. By using AWS CloudFormation, you create a CF stack and easily manage a collection of resources (stack) as a single unit.
  6. When you use AWS CloudFormation, you can reuse your template to set up your resources consistently and repeatedly across other regions.
  7. You can use a version control system with your templates so that you know exactly what changes were made, who made them, and when.
  8. A sample template looks like below. Notice that even though a eip needs an instance id, since we don’t know the iid, we can simply use “Ref” to the name of the instance to obtain the iid.
    AWSTemplateFormatVersion: "2010-09-09"
    Description: A sample template
     Type: "AWS::EC2::Instance"
     ImageId: "ami-2f726546"
     InstanceType: t1.micro
     KeyName: testkey
     DeviceName: /dev/sdm
     VolumeType: io1
     Iops: 200
     DeleteOnTermination: false
     VolumeSize: 20
     Type: AWS::EC2::EIP
     InstanceId: !Ref MyEC2Instance
  9. You can use input parameters to a CF template thus avoiding the need to hard code variables (such as instance type)
  10. You can use AWS::Include to include snippets that are stored in S3
  11. Stacks: When you use AWS CloudFormation, you manage related resources as a single unit called a stack.
    1. You create, update, and delete a collection of resources by creating, updating, and deleting stacks.
    2. All the resources in a stack are defined by the stack’s AWS CloudFormation template.
  12. Change Sets
    1. If you need to make changes to the running resources in a stack, you update the stack.
    2. Before making changes to your resources, you can generate a change set, which is summary of your proposed changes.
    3. Change sets allow you to see how your changes might impact your running resources, especially for critical resources, before implementing them.
  13. CloudFormation Template Anatomy
    1. Format Version (optional)
    2. Description (optional)
    3. Metadata (optional)
    4. Parameters (optional) Values to pass to your template at runtime (when you create or update a stack). You can refer to parameters from the Resources and Outputs sections of the template.
    5. Mappings (optional) A mapping of keys and associated values that you can use to specify conditional parameter values, similar to a lookup table. You can match a key to a corresponding value by using the Fn::FindInMap intrinsic function in the Resources and Outputs section.
    6. Conditions (optional) Conditions that control whether certain resources are created or whether certain resource properties are assigned a value during stack creation or update.
    7. Transform (optional)    You can also use AWS::Include transforms to work with template snippets that are stored separately from the main AWS CloudFormation template. You can store your snippet files in an Amazon S3 bucket and then reuse the functions across multiple templates.
    8. Resources (required)  Specifies the stack resources and their properties, such as an Amazon Elastic Compute Cloud instance or an Amazon Simple Storage Service bucket.
    9. Outputs (optional) The optional Outputs section declares output values. For example, you can output the S3 bucket name for a stack to make the bucket easier to find.
        Logical ID:
          Description: Information about the value
          Value: Value to return
            Name: Value to export

      You can use Output variables to:

      1. Import into other stacks (to create cross-stack references),
      2. return in response (to describe stack calls)
      3. view on the AWS CloudFormation console. 
      4. Output Fields
        1. Logical ID: An identifier for the current output.
        2. Description (optional)  The description can be a maximum of 4 K in length.
        3. Value (required): The value of the property returned by the aws cloudformation describe-stacks command. The value of an output can include literals, parameter references, pseudo-parameters, a mapping value, or intrinsic functions.
        4. Export (optional): The name of the resource output to be exported for a cross-stack reference.
        5. The following restrictions apply to cross-stack references:
          1. For each AWS account, Export names must be unique within a region.
          2. You can’t create cross-stack references across regions.
          3. You can’t delete a stack if another stack references one of its outputs.
          4. You can’t modify or remove an output value that is referenced by another stack.
  14. Stack sets:
    1. As you create the stack set, you specify the template to use, as well as any parameters and capabilities that template requires.
    2. A stack set is a regional resource. If you create a stack set in one region, you cannot see it or change it in other regions.
  15. Stack instances: A stack instance is a reference to a stack in a target account within a region.
  16. Use of CF, Beanstalk and Auto scaling are free but you pay for the AWS resources that these services create.
  17. By Default CF rolls back everything when an error occurs (Atomic)

Elastic Beanstack

  1. With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications.
  2. You simply upload your application, and Elastic Beanstalk automatically handles the details of
    1. capacity provisioning
    2. load balancing
    3. scaling
    4. application health monitoring
  3. Its uses ASG, ELB, EC2, RDS, SNS, CloudWatch and S3 to provision resources.
  4. Elastic Beanstalk supports applications developed in Java, PHP, .NET, Node.js, Python, and Ruby, as well as different container types for each language.
    1. A container defines the infrastructure and software stack to be used for a given environment.
    2. When you deploy your application, Elastic Beanstalk provisions one or more AWS resources, such as Amazon EC2 instances.
    3. The software stack that runs on your Amazon EC2 instances depends on the container type. For example, Elastic Beanstalk supports two container types for Node.js: a 32-bit Amazon Linux image and a 64-bit Amazon Linux image.
    4. You can interact with Elastic Beanstalk by using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or eb, a high-level CLI designed specifically for Elastic Beanstalk.
  5. Environments supported
    1. Web server environments
    2. AWS resources created for a worker environment tier
      1. include an Auto Scaling group,
      2. one or more Amazon EC2 instances,
      3. and an IAM role.
      4. provisions an Amazon SQS queue if you don’t already have one.
      5. Elastic Beanstalk installs the necessary support files for your programming language of choice
      6. a daemon on each EC2 instance in the Auto Scaling group. The daemon is responsible for pulling requests from an Amazon SQS queue and then sending the data to the web application running in the worker environment tier that will process those messages.
      7. If you have multiple instances in your worker environment tier, each instance has its own daemon, but they all read from the same Amazon SQS queue.
  6. Predefined Configurations – IIS, Node.JS, PHP, Python, Ruby, Tomcat, Go, .NET.
  7.  Preconfigured docker: Glassfish, Python or generic docker
  8. Environment URL has to be unique
  9. Dashboard – Recent events, Monitor, Logs, Alarms, Upload and Deploy and Configurations

Architecting for the AWS Cloud – Best Practices

  1. Scaling up (vertical scaling where you upgrade the memory/CPU) vs scaling out (horizontal scaling where you add additional instances of same size/type)
  2. Design distributed stateless components that can be disposed or added based on demand
  3. You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata.
  4. Infrastructure as code
    1. Cloud Formation scripts can be used to automate creation/provision your AWS resources in orderly and predictable fashion and repeat the formation as many times as needed
  5. Use Auto Scaling to scale out and back
  6. Use cloud watch alarms/events to send SNS notifications when a particular metric goes beyond a specified threshold level. SNS can trigger a lambda or en-queue SQS message or POST to API endpoint
  7. Lambda Schedules Events: They can be scheduled and run a lambda function at a specified time at regular intervals
  8. Loose Coupling
    1. Ensures a failure in one component does not cascade it to other component
  9. Service Discovery
    1. Instead of hard coding ip address of a loosely coupled service, we should use DNS/Rout 53 zones/ELB end points
  10. Asynchronous Integration
    1. Suitable for interaction between two components of a system where immediate response is not needed. Only an acknowledgement that the request was received will suffice. Example SQS or Kinesis
    2. Loosely coupled components make the system resilient and enables graceful failure
    3. Tight Coupling vs Loose Coupling AWS components
  11. Services NOT Servers
    1. Use Lambda/S3/DynamoDb as opposed to EC2
    2. Serverless architecture can scale out easily
    3. Use Cognito as identity store as opposed to custom solutions that live on EC2 or SQL database
    4. RDS can be used to scale horizontally thru read replicas as opposed to vertical scaling by upgrading instance type with higher memory/CPU
    5. RDS multi AZ deployment feature can be used to automatically replicate your db in a different AZ and fail-over in real time when disaster strikes (DR Disaster Recovery)
    6. Anti Patterns: If you application can maintain data integrity and there is no need for major JOINs or normalization, use DynamoDB NoSQL database which is inherently scalable horizontally for both reads and writes
  12. Remove single point of failure and use redundant systems
    1. Active or Standby redundancy
  13. Failure Detection
    1. Alarms/Health Checks
  14. Cost Reduction
    1. Right Sizing: Find the minimum configuration that is suitable. Use magnetic as opposed to SSD use small as opposed to large EC2 etc
    2. Use spot instances
    3. Use auto scaling to scale back (right sizing)
  15. Security
    1. Use ACLs/Security Groups
    2. Use IAM roles as opposed to access key id/secret access key
    3. Use application firewalls
  16. Use Cloud Watch to enable real time logging/monitoring/auditing resources

Overview of Security Processes – Summary of the Whitepaper

  1. Shared Security Model
    1. Amazon is responsible for hardware, data centers, facilities
      1. all the managed services such as RDS, DynamoDB etc are Amazon’s responsibility for updates/patches
    2. Customers are responsible for your own resources Security Groups, ACLs, bucket policies, EC2 roles etc
  2. IP Spoofing
    1. Customers need to inform AWS before conducting port scanning or vulnerability scanning tests on EC2 instances well in advance and take their permission.
  3. Storage decommissioning process done by AWS
    1. Delete data/scrub the disk
    2. degauss magnetic disks
  4. Network Security
    1. Use SSL TLS
    2. private subnets
    3. ipsec VPN devices
    4. Direct connect
  5. Amazon is responsible for
    1. DDOS (Denial of service)
    2. Man in the middle attacks (MITM)
    3. Port scanning
    4. IP spoofing
    5. Packet Sniffing
  6. AWS trusted advisor
    1. Inspects your resources and advises you to close ports or enable MFA etc
  7. Instance isolation
    1. Different instances running on the same host are isolated using XEN Hypervisor
    2. Instance’s neighbors on the same host have no more access than instances running on another host
    3. Memory is scrubbed (set to 0’s) by XEN before sending to available pool for re-allocation
  8. AES-256 encryption of EBS volumes is available on powerful EC2 types
    1. All data from EBS is decrypted before sending to EC2
    2. All data coming from EC2 to EBS is encrypted before writing on EBS
  9. Direct connect
    1. Bypass internet and connect to AWS using dedicated connections (802.1q VLAN)
  10. You must download the whitepaper and read completely before going to the exam.
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .