AWS CSAA Study Notes

No Comments

Identity Access Management (IAM)

  • Central control of AWS account
  • Share access
  • Granular permissions of accounts/groups/roles/policies
  • Identity Federation (AD, Facebook, LinkedIn, etc…)
  • MFA = Multi Factor Authentication
  • Temp access for users/devices/services
  • Pwd rotation policy highly customizable
  • Policies = JSON key/value pairs
  • IAM is universal, applies to all regions consistently
  • New Users have no permissions when 1st created
  • New Users are assigned an access key ID & secret access key when first created, only viewable once so download it & secure!
  • Always setup MFA on root
  • Integrated with AWS marketplace

S3

  • Secure, durable, highly scalable object storage.
  • Unlimited storage.
  • Object based, NOT block based storage (no OS or DBs -> that’s Elastic Block Storage (EBS)). i.e. allows you to upload files 0 byte to 5Gb file size
  • Files are stored in buckets
  • S3 is a universal namespace, each one must be unique:
  • Read after Write consistency for PUTS of new Objects
  • Eventual consistency for overwrite PUTS and DELETES as it can take time to propagate
  • Objects consist of the following:
    • Key = name of the object
    • Value = the data
    • Version ID (for versioning)
    • Metadata (tags)
    • Subresources
    • Access Control Lists (ACLs)
  • 99.99% availability
  • 99.999999999% durability
  • Tiered storage
  • Lifecycle mgmt.
    • Can be used in conjunction with versioning
    • Can be applied to both current & previous versions
  • Actions:
    • Transition to S3-IA (128Kb & 30 days after creation)
    • Archive to Glacier (30 days after S3-IA, if relevant)
  • Storage Tiers
    • S3 Standard
      • 99.99% availability
      • 99.999999999% durability
      • Redundant, designed to sustain loss of 2 facilities concurrently
    • S3-IA (infrequently accessed)
      • 99.9% availability
      • 99.999999999% durability
      • Lower fee than S3, but charged a retrieval fee
    • S3-RRS (Reduced Redundancy Storage)
      • 99.99% availability
      • 99.99% durability
    • Glacier
      • Very cheap (as little as $0.01 GB/mo.)
      • Used for archive only
      • Takes 3-5 hours to restore from Glacier
  • Versioning
    • Stores all versions of an object (including all writes and deletes)
    • Great backup tool
    • Cannot disable versioning once enabled, but you can suspend
    • Integrates with lifecycle rules
    • Can use MFA delete capability, so that you can’t delete without MFA
    • Cross Region Replication requires versioning – only applies to files manipulated after CRR is turned on
    • Can take up a LOT of space on files that change a lot (because it stores each changed version)
  • S3 – Security & Encryption
    • By default, all new buckets are PRIVATE
    • 2 types of access control for buckets
      • Bucket policies
      • ACLs
    • Buckets can be configured to log all requests
      • Can be done to another bucket or to another AWS account
    • Encryption – 4 methods
      • In transit – information to/from bucket
        • Uses SSL/TLS
      • At rest:
        • Server Side Encryption (SSE)
        • S3 Managed keys – SSE-S3
        • AWS Key Management Service, Managed Keys – SSE-KMS
          • Provides usage audit trail
        • SSE with Customer Provided Keys – SSE-C
      • Client Side Encryption – the customer encrypts data prior to uploading to bucket

CloudFront – CDN (Content Delivery Network)

  • Edge Location – Where the content will be cached (different from Region or AZ)
    • Not just read only, can write to them too.
    • Objects are cached for the life of the TTL (default 24 hours)
    • Can clear cached objects, but you will be charged
  • Origin – Where the original server content is located (S3 Bucket, EC2 instance, Route53, or ELB for AWS)
  • Not faster for the 1st user, but faster for every other subsequent user
  • Can be used for static, dynamic, streaming & interactive content
  • Requests are automagically routed to nearest Edge Location
  • Optimized to work well with other AWS services (duh)
  • Also works with non-AWS origin servers (the “definitive version”)
  • 2 types of Distributions:
    • Web Distribution – Used for websites
    • RTMP Distribution – used for media streaming
  • CloudFront options
    • Restrict Viewer Access – restrict using signed URLs or signed cookies

Storage Gateway

  • Connects on-prem software appliance with AWS storage to provide seamless & secure between an org’s on-prem IT environment & AWS storage infrastructure.
  • Asynch replication backed up to S3 as EBS snapshots
  • Data is stored within a single region (user specified)
  • Software appliance is supported on VMware or Hyper-V
  • 3 types of storage gateways:
    • Gateway Stored Volumes (cloud is backup)
      • Keep entire data set on-prem & asynch backed up to S3
      • Create storage volumes up to 16TB in size & mount them as iSCSI devices
      • Used for offsite backups
      • Constantly replicating changes up to S3 in the form of Amazon EBS snapshots
    • Gateway Cached Volumes (cloud is primary)
      • Only most frequently accessed data is stored on-prem, entire data set is stored in S3
      • Using S3 as your SAN array
      • Create storage volumes up to 32TBs in size & mount them as iSCSI devices
      • If you lose internet access, you lose access to all your data
  • Pricing:
    • Only pay for what you use, 4 pricing components:
      • Gateway usage (per gateway per month)
      • Snapshot storage usage (per GB per month)
      • Volume storage usage (per GB per month)
      • Data xfer out (per GB per month)

Snowball (Import/Export)

2 Types:

  • Import/Export Disk
    • You ship your disks to AWS site of your choice
    • Import into S3, Glacier, or EBS
    • Export from S3
  • Import/Export Snowball
    • Available in US, EU(Ireland) & APAC(Sydney)
    • 50TB or 80TB models available
    • 256-bit encryption
    • TPM ensures chain-of-custody
    • Import into S3 only
    • Export from S3

EC2 (Elastic Compute Cloud)

A web service that provides resizable compute capacity in the cloud. Reduces time required to obtain & boot new server instances to minutes allowing the ability to quickly scale capacity both up and down.”

  • Pricing models:
    • On Demand – pay fixed rate by the hour with no commitment
      • Best for burst need servers & unpredictable workloads that cannot be interrupted
      • For users that want flexibility of EC2 w/out up-front payments or long-term commitment
      • Test/Dev for apps running on EC2 for the 1st time.
      • Supplement reserved instance servers (for extra temporary server load)
    • Reserved – 1 or 3 year term. Discount compared to On Demand, the longer your contract, the more you save.
      • Best for “steady state” systems that you’ll always have running
      • Apps that need reserved capacity, steady state or predictable usage
      • Domain Controllers
      • 1st web server
    • Spot – Allows you to bid for whatever price you want to pay for instance capacity (by hour).
      • When your bid = spot price, you get a server
      • When spot price exceeds your bid, you lose server with 1 hour warning
      • Best used for grid computing where instances are disposable & applications have flexible start/stop times
      • If spot instance is terminated by EC2, you don’t get charged for partial hour of usage. If you terminate, you’ll get charged for the full hour.

EBS (Elastic Block Storage)

Storage volumes that are attached to EC2 instances (think VMDKs)

  • Can’t attach 1 EBS instance to 2 EC2 instances (use EFS for that)
  • Can attach multiple EBS instances to 1 EC2 instance
    • How to “grow” an EBS volume:
      • Detach the original Amazon EBS volume.
      • Create a snapshot of the original Amazon EBS volume’s data in Amazon S3.
      • Create a new Amazon EBS volume from the snapshot, but specify a larger size than the original volume.
      • Attach the new, larger volume to your Amazon EC2 instance in place of the original. (In many cases, an OS-level utility must also be used to expand the file system.)
      • Delete the original Amazon EBS volume.
    • Placed in specific AZs & automatically replicated
    • EBS 3 Volume Types
      • General Purpose SSD (GP2)
        • 99.999% availability
        • Ratio of 3 IOPs per GB & ability to burst up to 3k IOPS for short periods for volumes under 1Gb.
        • Use if you need up to 10k IOPS
      • Provisioned IOPS SSD (I01)
        • For I/O intensive apps (large DBs).
        • Use if you need more than 10k IOPS
      • Magnetic (standard)
        • Cheapest
        • Good for infrequently accessed data (fileservers)

Volumes vs Snapshots

  • Volume
    • A volume is a virtual hard disk (think VMDK)
    • Volumes exist on EBS
    • If you take a snapshot of a volume, this will store that volume on S3
  • Snapshot
    • Point in time copy of a volume
    • Exists on S3
    • Are incremental, only the blocks that have changed since the last snap are moved to S3
    • 1st snap takes some time to create
    • Can use snap to create a new volume & change the disk type (magnetic -> GP2 or IO1 or any other combination)
    • If you want to snap a root volume, you should stop the instance before taking snap
    • If you don’t, AWS will stop it prior to taking snap.
  • Volumes vs Snapshots – Security
    • Snapshots of encrypted vols are encrypted automatically
    • Vols restored from encrypted snaps are also automatically encrypted
    • You can share snaps, but only if they are unencrypted
    • They can be shared to other AWS accounts or made public

AMI Types (EBS vs Instance Store)

Storage for the Root Device (root vol), 2 types:

  • Instance Store (ephemeral storage)
    • Can’t “stop” an instance of this type, only reboot or terminate. If the underlying host fails, you will lose data.
    • You can reboot without losing data, if you stop the instance, the data will be wiped.
    • “Ephemeral storage” means exactly that, not persistent
    • The root device for an instance launched from the AMI is an instance store volume created from a template stored in S3
    • Cannot be detached and reattached to other EC2 instances
  • EBS backed volumes
    • Are persistent
    • The root device for an instance launched from the AMI is an EBS volume created from an EBS snapshot
    • Can be stopped, you will not lose data if the underlying host fails.
    • Can be detached and reattached to other EC2 instances
    • By default, both root vols will be deleted on termination, but you can choose to keep an EBS vol on termination, not for ephemeral.

Leave a Reply