Exam Summary

AcloudGuru practice 01

  • AWS recommends that you use multipart upload for files larger than _____

    • 100mb
  • When using web identity federation and Cognito to allow a user to access an AWS service (such as an S3 bucket), which of the following is the correct order of steps?

    • A user authenticates with Facebook first. They are then given an ID token by Facebook. An API call, AssumeRoleWithWebIdentity, is then used in conjunction with the ID token. A user is then granted temporary security credentials.
  • Which of the following methods will allow you to securely upload/download your data to the Amazon Simple Storage Service (Amazon S3) service?

    • SSL (Secure Sockets Layer) using HTTPS protocol
    • HTTP endpoints using HTTPS protocol
    • Note: we need https here because it says secured
  • both Secrets Manager and Parameter Store can

    • Integrated with Identity and Access management
    • Can store credentials in hierarchical form
    • Supports encryption at rest using customer-owned KMS keys
  • You are developing a online banking website which will be accessed by a global customer base. You are planning to use CloudFront to ensure users experience good performance regardless of their location. The security architect working on the project asks you to ensure that all requests to CloudFront are encrypted using HTTPS. How can you configure this?

  • You want to create a continuous delivery pipeline with a build tool recommended by your project manager. However, you anticipate your build project to be large and complex. Which of the following AWS services will enable you to orchestrate complex pipelines, and automate your software build, test, and release processes?

    • AWS CodePipeline
      • Code Pipeline is all-in-one solutions that helps with test, build and release.
      • Code Deploy is to deploy only
  • You are deploying a new version of your application using a CodeDeploy in-place upgrade. At the end of the deployment, you test the application and discover that something has gone wrong. You need to roll back your changes as quickly as possible. What do you do?

    • Note: this is an all-inplace upgrade, you can't rollback to the previous version. You need to redeploy the previous version. Only a blue/green upgrade allow you to roll back.
    • See CodeDeploy
  • You want to add a cross-origin resource sharing (CORS) configuration to one of your S3 buckets. Which of the following tabs in the S3 console should you select in order to configure this?

    • permissions
  • A transport company uses a mobile GPS application to track the location of each of their 60 vehicles. The application records each vehicle's location to a DynamoDB table every 6 seconds. Each transmission is just under 1 KB and throughput is spread evenly over a minute. How many units of write capacity should you specify for this table?

    • 10
      • Write every 6 seconds => 10 writes per minute
      • 60 vehicles => 600 write per minutes
      • Since 1 WCU = 1 write per second, we take 600 / 60 seconds = 10
  • You have developed a Lambda function which is not running as performantly as expected. Which of the following approaches can improve the performance of your function?

    • Establish your database connections from within the Lambda execution environment to enable connection reuse.
    • Only include the libraries you need to minimize the size of your deployment package.
  • You are working on a web application which needs somewhere to store user session state across a fleet of instances. Which of the following approaches is the best way to deal with user session state?

    • Use an ElastiCache cluster
    • Store session state in RDS
    • Note: Storing in memory is not good because you cannot share between instances
  • A recent increase in the amount of users of an application hosted on an EC2 instance that you manage has caused the instance's OS to run out of CPU resources and crash. The crash caused several users' unsaved data to be lost and your supervisor wants to know how this problem can be avoided in the future. Which of the following would you NOT recommend?

    • Take frequent snapshots of the EBS volume during business hours to ensure users' data is backed up.

Stephane practice 00

  • If you terminate the instance while it's in STOPPED state, it leads to synchronisation issue that the container still appears in ECS.

    • Solution: manually deregister it in ECS console or AWS command line
  • You put multiple container in the same task definition if

    • The containers share the same resources, lifecycle, running under the same host, etc...
  • !Ref vs !GetAtt

    • !Ref returns the value of a parameter
    • !GetAtt return the predefined attribute for example EC2Instance.AvailabilityZone
  • WaitTimeSeconds cannot change visbility timeout. If we need to change visibility timeout, we need to use ChangeMessageVisibility

    • Visibility timeout can be 0 - 12 hours with a default of 30 seconds
  • If you want to update the name of your cluster, you need to change the ECS_CLUSTER variable inside /etc/ecs/ecs.config otherwise the instance still be launched in the previous cluster

  • If enable organisation trail, member accounts will be able to see but cannot modify or delete it

  • To find true IP of Application Load Balancer use X-Forwarded-For

    • If using Network Balancer then you dont have to since it works with IP by default
  • SSL Termination vs SSL Passthrough

    • SSL Termination: Handle the SSL at the ALB level
    • SSL Passthrough: Pass the SSL through the EC2 level
  • EC2 heavy load because of HTTPS traffic

    • Solution: SSL Termination at ALB + SSL Certificate via ACM to let the ALB handle HTTPS load for you.
    • Note: we cannot use passthrough because otherwise it goes into the EC2
  • CloudFormation when deleting stack, if stack A is using some stuff from stack B. You need to delete stack B first and then delete stack A

  • In S3, if 2 writes are made to a single non-versioned file. There is a possiblity that only 1 single notification is sent.

  • Using ProjectionExpression will have better performance comparing to FilterExpression

  • If ASG not replace with healthy instances after ELB marked as unhealthy. Change the health check form EC2 to ELB by a configuration file

  • If you want to access S3 cross account, you can

    1. Use resource-based policy + IAM policies
    2. Use Resource-based ACL (legacy) + IAM
    3. Use cross-account IAM role
    • Note: if your account is in different partition (for example aws (standard) and aws-cn) you can't use S3 resource-based policy in your account in China to allow access to user in standard account.
  • Note for cross account can do

    • Resource-based policy (ACL can)
    • Cross-account IAM role
  • To migrate Elastic Beanstalk environment from 1 account to another. You need to:

    • create a saved configuration from first account.
    • Make some specific changes and upload it to the S3 Bucket of the second account.
    • And then from the second account, create application from "Saved Configuration" from Elastic Beanstalk console
  • CloudFormation which field can't use condition: Parameters Why?

    • Parameter you define which input the user will put in the field.
  • For ElasticBeanStalk, the best way to separate between different environment is to create instance for each environment.

  • Blue/green deployment rollback is much faster comparing to Rolling / Rolling with additional batch

  • Amazon SWF vs SQS

    • SWF is
      • task oriented - for multi-threaded computing
      • verify that the task assigned only once. While SQS may deliver message multiple times
    • SQS is message oriented
  • There are only 2 types of deployments:

    • Blue/green deployment
    • In-place deployment
  • Service that relies on CloudFormation

    • AWS SAM
    • AWS Elastic Beanstalk
  • Fn::ImportValue or !ImportValue to import the exported value.

  • !Ref is to get the parameter (define in CloudFormation)

  • !GetAtt returns the value of predefine attribute

  • If want to allow lambda function in account A to access DynamoDB in account B. We need to create a role in account B to allow access DynamoB. And then modify trust policy to allow execution role in account A to assume this role.

  • Note: you need trust policy for a service to assume a role

  • EBS supports both inlfight encryption and encryption at rest using KMS

  • EC2 Bootstrap code — 169.254.169.254/latest/**user-data**

  • EC2 Instance key, public keys, IP — 169.254.169.254/latest/**metadata**

  • CodeDeployment group can allow different set of EC2 instance get deployed different time in different environment allowing for a smooth transition.

  • Lambda alias cannot point to another alias. It can only point to a lambda function

  • Scaling Policy:

    • Target Tracking Scaling
      • I want the ASG CPU to stay around 40%
    • Simple / Step scaling
      • When cloudwatch alarm is triggered (CPU > 70%) ⇒ add 2 units
      • When cloudwatch alaram is triggered (CPU < 30%) then remove 1
    • Scheduled actions
      • Increase min capacity to 10 at 5pm
    • Predictive scaling
      • continuously forecast and schedule scaling ahead
  • SQS have KMS encryption for both Standard and FIFO

  • During rollback AWS CodeDeploy first deploy to the failed instances

  • If users have trouble accessing the website but ehealth check of ALB is good. It's most likely the Security Groups that's blocking IPv4 Address

  • EC2 Auto Scaling cannot scale between regions. It's only span across AZ

    • EC2 Autoscaling works both with ApplicationLoadBalancer and NetworkLoadBalancer
  • CodeBuild can be integrate with KMS for encryption

  • If ELB with cross zones enabled route more traffic to one zone than the other, it could be

    • Sticky sessions
    • the number of instances are not equally distributed
  • If codebuild cannot talk to ECR, that means IAM permission issue

  • Cognito Authentication always go with User Pools

  • To use ECR, we need to do

$(aws ecr get-login --no-include-email)
docker pull 1234567890.dkr.ecr.eu-west-1.amazonaws.com/demo:latest

Stephane practice 01

  • CloudFormation map only has 2 level => !FindInMap[MapName, TopLevelKey, SecondLevelKey]
  • Which keyword define it's a SAM template instead of CloudFormation?
    • Transform
  • KMS stores the CMK key itself, when client request something, it encrypt and sends back.
  • You can enable CodeBuild timeout to timeout your build function
  • Dedicated instances is cheaper than dedicated hosts
  • The security credential that can only be created by root user is
    • CloudFront Key Pair: the keypair that can be used to create signed cookies and stuff
  • To access Billing and Cost, you need an IAM user
  • CloudTrail can track API any API calls to services from user (KMS, SSM, ...)
  • Cognito is not part of SAM, there is no SAM service for UserPool
  • CodePipeline just automate the test, build, deploy everytime there is a code change. It cannot deploy itself
  • It's always recommended to use Target tracking over Step scaling when possible
  • Dead letter queue of a FIFO queue must be a FIFO queue
  • Dead letter queue of standard queue must be Standard queue
  • For ALB to analyse latency of incoming requests, we use ALB access logs
  • IAM username and password cannot be used to access CodeCommit
  • Elastic Beanstalk will replace the failed instances with instance running from most recent successful deployment
  • Root user can't use SMS text based MFA
  • For Autoscaling group in a VPC, EC2 instances are launched in subnets
  • Trust Policy is the only resource-based policy that IAM Support
  • IAM can be used to deploy certificate if it's not supported by ACM
  • To sell your API , use API usage plans
  • If we have third-party authorisation, we have to use Lambda Authoriser
  • If it's not AWS Resources, use CNAME
  • To define the maximum permission of an user, we can either use
    • SCP
    • Permission Boundary
  • To delete the whole queue with all the messages in SQS, use DeleteQueue
  • To generate budget forecast, we need at least
    • 5 weeks of usage
  • If burst balance reset, it's because of immutable updates or in traffic splitting mode
  • If you want to setup your S3 bucket to be dynamic, it's worth to use IAM variables so you actually use variables in your S3 Path (user id and so on)

Stephane practice 002

  • Task type in state machine has Resource, ResultPath, Next, Comment
  • To lambda function as container image, container needs to
    • implement Lambda Runtime API
    • Lambda function needs to be in the same as count as your ECR account
  • If you need support for dynamic port mapping => Use ECS
    • Can also use Beanstalk but ECS gives more fine controls
  • Maximum number of messages that can be stored in SQS
    • No limit
  • When you create a signer:
    • Public key is with cloudfront and private key is used to sign a portion of URL
    • You can only have 2 CloudFront key pairs per AWS account
  • if you want to postpone, use DelayQueue instead of visibility timeout
  • Mechanism that cannot be used to authenticate API gateway: STS
  • For EC2 instance to connect to the database, we need
    • Route table in the subnet should have a route to Internet Gateway
    • Network ACLs associated with the subnet must have rules to allow inbound and outbound traffic
  • To improve the performance of CodeBuild, we can
    • Bundle the dependencies in the source code during build stage of CodeBuild
  • If you want to access AWS resources, you need to use IdentityPool
  • Spot instance interupt behaviour: What would the spot instance do if it's interrupted. Default is terminate. You cannot choose reboot for this behaviour
  • VPC Flow logs capture:
    • IP traffic flowing from/to your VPC
  • DynamoDB PutItem vs UpdateItem:
    • PutItem will replace
    • UpdateItem will update
  • If you use AWS console to create ASG, by default, the monitor will be basic monitor
  • Gp2 are provisioned
    • 100 IOPS if it has 33.33GB and below
      • and 16000 IOPS if it has 5334 GB (3 * 5334 = 16000) and above with a rate of 3:1
  • IO1 are provisioned in relation of 50:1
    • So if the volumes have 200gb, it can be provisioned maximum of 200 * 50 = 10000 IOPS
  • To use Envelop Encryption, you need to reference the data as file within the code
  • EBS volume are AZ locked
  • "Immutable" deployment has minimal impact + fastest rollback (faster than rolling with additional batch)
  • CloudFormation support the following parameter type
String – A literal string
Number – An integer or float
List<Number> – An array of integers or floats
CommaDelimitedList – An array of literal strings that are separated by commas
AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
AWS::EC2::SecurityGroup::Id – A security group ID
AWS::EC2::Subnet::Id – A subnet ID
AWS::EC2::VPC::Id – A VPC ID
List<AWS::EC2::VPC::Id> – An array of VPC IDs
List<AWS::EC2::SecurityGroup::Id> – An array of security group IDs
List<AWS::EC2::Subnet::Id> – An array of subnet IDs
  • If using DynamoDB on-demand and point-in-time recovery backup, you don't have access to the S3 that AWS make the backup to

  • Provisioned concurrency vs Reserved concurrency

    • Provisioned concurrency define a set of lambda function always running to prevent cold starts. These lambda function always ready to execute in very low latency
    • Reserved concurrency to reserve concurrency for a particular function to prevent other function from using that concurrency. Remember that a lambda function can only have up to 1000 concurrency
  • ProvisionedThroughputExceeded on Kinesis soluton:

    • Increase number of shards
    • Configure producer to retry using exponential backoff
    • Note using kinesis fan-out does not help. It only helps if you have multiple consumers
  • CodeBuild integration with CloudWatch metric

    • Pretty much everything and you can customise any metric you want cloudwatch to receive.
  • The following database can be configured with IAM Authentication:

    • RDS PostGreSQL and RDS MySQL
  • If X-Ray shows no data, check the IAM role

  • You need to sign API request if you're sending HTTP request to AWS services

    • For example Sigv4
  • Regional reserved instance vs Zonal reserved instance

    • Zonal allows capacity reservation whereas Regional doesn't
    • Reservation offer some of the discount and stuff
  • Saving plans: commit to a certain amount of usage for 1 to 3 years

Stephane 003

  • How do you scale SQS
    • You don't need to scale SQS, it scales itself
  • RCU and WCU are applied to 1 specific table or all tables?
    • 1 table
  • If 1 of the partition receives more WCU comparing to the other it's because of
    • Hot partition
  • RDS automatic backups
    • default retention: 35 days
    • If we want more, we need to create a cronjob that create database snapshot
  • CodeDeploy Agent
    • configure for code deployment options. You can specify max_revisions configuration
    • Archive log file for those revisions
  • CodeBuild scale automatically
  • ApiGateway for each stage, we can adjust the default account-level request to throttling limits and enabling API caching
  • IAM can be access through HTTP API via API gateway
  • if your AWS Elastic Beanstalk application takes long time to perform a task, you can decouple it using dedicated worker environment
  • If your X-Ray is sending too much which increases the cost:
    • Enable X-Ray Sampling
  • In S3 replication, the only thing doesn't get replicated is
    • S3 lifecyle actions
  • To enable detailed monitor, you run the following command
aws ec2 monitor-instances --instance-ids i-123456
  • For AWS Step Function
    • Express workflows has a maximum of 5 minutes
      • We should use express for workloads with high event rates and short duration
    • Standard workflows has a maximum of 1 year
      • We should use for long running, durable, audible and can support human approval
  • EBS support which type of encryption
    • both inflight and at rest encryption using KMS
  • For RDS,
    • Automated backup limits to 1 region
      • If we want more than 1 regions, we need to manually snapshots
    • Read replicas support multiple regions
  • To monitor RAM for EC2, you need to
    • create a metric in CloudWatch and make your instance send data to it using PutMetricData.
    • Now you create an alarm based on this metric
  • What security feature doesn't work with s3:
    • Security group
  • To cut cost in read of RDS while guarantee performance
    • Use ElasticCache is better than Read replica
  • If you have s3:PutObject but have access deny, and the S3 bucket is encrypted, you need to give
    • kms:GenerateDataKey
  • If you have an AZ scaling group with multi-az enabled. minimum of 1 and max of 5. How to prevent disaster when 1 AZ goes down
    • Increase minimum to 2. Since it's multi-az, it will scale to 2 different AZ
  • If you want your environments to load dynamically and securely at runtime, use SSM parameter store
  • AWS Lambda environment variables limit
    • The size of all environment cannot exceed 4KB. Doesn't matter how many environment variables you have
  • To encrypt large object using KMS. You need to use
    • GenerateDataKey API
    • Note if use GenerateDataKeyWithoutPlainText it will generate later.
      • And there is no such thing as GenerateDataKeyWithPlainText
  • If user login to your website with auto scaling group and appear that they need to relogin often.
    • use ElasticCache cluster to store the session externally
  • Lambda will add a message to DLQ if
    • Lambda function invocation is asynchronous and maximum age and fails all retry attempts
      • Note: when you avoke synchronously, lambdas will wait for the response, it doesn't use queue here

Stephane 04

  • Decrypt authentication error code use
    • AWS STS decode-authoization-message
  • For redis
    • All nodes of redis cluster must be inside the same region
    • if cluster mode is enabled, you cannot manually promote any node to primary
  • Note: Warm standby and pilot light are not deployment option. It's disaster recover options.
    • The only deployment option for code deploy is Blue/green and in-place deployment
  • CodeCommit are automatically encrypted at rest
  • Kinesis Agent is a prebuilt Kinesis Producer that will automatically and continuously monitor a set of file and send it to kinesis stream. Can be used for sending logs to Kinesis data stream
  • To get object access logs, only object owner can, bucket owner needs to be object owner to get object's access log
  • The only options for x-amz-server-side-encryption
    • AES256 - if you're using SSE-S3
    • aws:kms - if you're using kms
  • If CodeBuild is slow in resolve dependency, we can cache the dependencies on S3
  • 1 RCU = 2 eventually consistent read = 4 KB
    • If we need 16 eventually consistent read of 12Kb each in size
      • 16/2 = 8 Read of 12 KB each
      • 12 KB => 3 RCU each read => 24 RCU
  • To clean up DynamoDB, use DeleteTable
  • SSE-KMS is similar to SSE-S3 with extra additional feature with audit trail. They both use AES256
  • X-Ray cannot capture metrics, we need to use CloudWatch Metrics
  • When to use LSI vs GSI
    • Use GSI if you need to query multiple tables
    • Use LSI if you do not need to query multiple tables
  • How many LSI you can create for a table
    • 5
  • How many GSI you can create for a table
    • 20
  • you can use git credential generated from IAM to setup code commit
  • To Distribute traffic API, we can use either
    • Route 53
    • or ELB
  • ALB target types
    • Instance
    • IP
    • Lambda
  • Can you specific routable IP to an ALB
    • No, only private ip
  • Cloudfront can serve both static and dynamic content with low latency
  • CodeDeploy if deployment failed, the last known working deployment will be replaced
  • CloudFormation if
    • Stack update: Create a new version of a stack and then delete the old one
      • If stack update fail, it will delete a new one
    • Stack creation:
      • If stack creation fail, nothing is created
  • If using loadbalancer, NACL needs to allow port 1024 - 65535 for the client to pick ephemeral port range to connect
  • To invalidate cache, we use
    • Header Cache-Control: max-age = 0
  • To trigger Lambda from any AWS source, we need to create CloudWatch Event and use that to trigger lambda
  • Step by step for Account B use a service in account A
    • Account A create an IAM role and attach to the service
    • Account A attach trust policy to that role identify account B as the principle who can assume role
    • Account B delegates permission to assume the role for any user in Account B
  • ProvisionedThroughputExceededException could be because
    • the parition key isn't distributed enough
  • For client side encryption, you can use CMK that stored in KMS

Stephane 05

  • Which S3 size should you use multipart upload
    • Larger than 100mb
  • Maximum size of S3 object: 10TB.
  • Maximum size of S3 object's part: 50GB
  • If you want cloudwatch to work with on-premises server
    • Use cloudwatch agent
  • s3 pagination cli options
    • --page-size
    • --max-items
    • --starting-token
  • If html page of S3 has 403 access deny
    • create bucket policy
  • To use X-Ray accross multiple account
    • Confiugre X-Ray to use 1 IAM role
    • lets other account assume that role
  • One stop dashboard for all of the CI CD and stuff
    • CodeStar
  • CloudFormation to refer the zip object
    1. Upload the code as zip to S3
    2. Refer object in AWS::Lambda::Function block
  • If your RDS workload is unpredictable
    • Enable storage auto-scaling
  • To encrypt CodeBuild, we can use
    • KMS
  • What service enable cross account tracing and visualisation
    • AWS X-Ray
  • To setup a cronjob on Elastic Beanstalk
    • Setup a worker environment and a cron.yaml file
  • Customer provided key (you manage key)
    • SSE-C
  • Customer managed key (AWS manage key)
    • SSE-KMS
  • Step by step to deploy a SAM application
    1. Develop SAM tempate locally
    2. Upload the template to S3
      • The sam command zip your artifact and upload to S3
    3. Deploy your application to the cloud
  • AWS Mapping templates
    • to modify request/response in api gateway
  • EC2 Elastic IP:
    • reserved public IP you can assign to any EC2
  • How to do push notifications
    • SNS
  • To create a new ECS service
    • aws ecs create-service
  • Xray
    • To trace index to use with filter
      • Annotations
    • List of segments
      • Trace
    • Partial information in the UI
      • Segments
    • Smaller unit of segments
      • Subsegments
  • What variable can be used by AWS X-Ray SDK to ensure the daemon is correctly discovered on ECS
    • AWS_XRAY_DAEMON_ADDRESS
  • STS assume role timeout range
    • min 15 minutes max 1 hours
  • which message parameter should you set for deduplicating messages?
    • MessageDeduplicationId
    • Note: ContentBasedDeduplication is a queue setting, not message parameter

Stephane 006

  • For ECS to use IAM role, need to set in ecs.config
    • ECS_ENABLE_TASK_IAM_ROLE
  • For real-time analysis of Kinesis, use Kinesis Data Analytics
    • Note: this is faster than using Athena because pushing to S3 and use Athena is not considered as real-time anymore
  • ASG does not add another volume when the current one reaching capacity
  • Kinesis DataStream encryption
    • Inflight with HTTPS
    • at rest with KMS
  • DynamoDB Eventually read can help with reducing latency
  • RDS multi-az instance cannot serve read requests
  • 503: Service unavailable
  • 504: Gateway timeout
    • Load balancer failed to establish connection before the connection timeout expired
  • There is no direct way to encrypt an unecrypted snapshot EBS using KMS. You need to make a copy and enable encryption.
  • EBS encryption is region-specific settings. Once you enable it, it enables for the whole region and you cannot just disable for a volume.
  • S3 is strong read after write howerver bucket has eventually consistent model
    • If you delete a bucket and immediately list all buckets, it can still be there
  • Application Load Balancer query string
[
  {
      "Field": "query-string",
      "QueryStringConfig": {
          "Values": [
            {
                "Key": "version",
                "Value": "v1"
            },
            {
                "Value": "*example*"
            }
          ]
      }
  }
]
  • Blue/Green rollback quicker than Rolling with Additional batch
  • If the EC2 instance running and you want when terminate EC2 instance does not terminate EBS, you need to use AWS Cli and set DeleteOnTermintion to False
  • CloudTrail event log does not log EBS CreateVolume when EC2 launch
  • You can run CodeBuild locally using CodeBuild Agent
  • To implement API Gateway that uses DynamoDB table for authentication. we use Lambda Authorizer
  • FilterExpression is not really optimised since it's clientSide. ProjectionExpression is better
  • CodeDeploy Deployment Groups: a group of EC2 to use for code deploy
  • ALB can work with ECS
  • in cloudformation
    • Outputs wrapped Export and to use you use !ImportValue
      • So Outputs:
        • Export:
          • name: abcdefg
  • If you want some attribute of a service. For example Connection Endpoint of RDS, use !GetAtt
    • !Ref just get the reference of a parameter, can't help u much
  • Execution Role vs assume role
    • Execution role: the primary role in main account that gives permission to the service
    • Assume role: the role other account to assume
  • If you need to debug then use X-Ray service instead of cloudwatch
  • CloudFront only failsover to secondary origin when the method is GET, HEAD or Option
  • CloudFront only route to failover region only if the primary region failed first. So yes, all requests
  • ECS if you want the container to share some resources, you put the two container into single task definition.

Neal Davis 01

  • If you want to output in Step Functions, use ResultPath. Output path will just pass it to the next stage.
  • To use Lambda to process incoming request from ALB, Set Target group of ALB to Lambda
    • Note: normally you put API gateway or ALB in front of your application, not both
  • For CodeDeploy, AWS Lambda and ECS cannot use in-place, you have to use blue/green
  • Elastic BeanStalk zip cannot
    • must not exceed 512 MB
    • must not include a parent folder or top-level directory
  • If you want to use Environment variables with ECS, you need to use advance container definition parameters
  • To use Latency-based routing, you need A records in Route53
  • AWS Elastic Beanstalk is fully auto managed with capacity provisioning, load balancing and autoscaling
  • Amazon keypair cant be used to make API call. To call AWS on on-premises server, you should just import that IAM access key into your server and calls AWS services.
  • If you want to concatenate REST of other services, use AWS AppSync with GraphQL
  • If you have an RDS database and want auto-scale (not storage) then migrate into Aurora of the same type and use Aurora auto scaling to scale read replicas
  • Amazon event rule can trigger a lambda function based on a resource
  • for Authorise SAML access, use Identity Pool
  • DynamoDB stream to receive old object, set StreamViewType to OLD_IMAGE
  • To push Docker Image to ECR in codeBuild, add a post_build phase that uses bash to push it
  • Pasted image 20221223192257.png
  • If you want to extract a specific metrics from cloudwatch. We need to use CloudWatch metric filter. As CloudWatch insights cant extract metrics
  • If you want to use event-source mapping, it needs to create on Lambda side, and then you associate DynamoDB stream with it
  • CodeDeploy hook for lambda:
    • BeforeAllowTraffic, AfterAllowTraffic
  • If codebuild receive error stating that maximum length of environment varaibles exceed, use AWS SSM parameter
  • to minimize the impact of scan on the table's provisioned throughput, set a smaller page size
  • For ECS, if you set port 0, the container will automatically assign a port
  • To send metric to amazon cloudwatch, we use put-metric-data command
  • To send text message, use SNS
  • For session storage, we can also use DynamoDB
  • To use library with lambda, create a zip with source code and all dependent libraries
  • ECS Fargate charges per running task