SQS

About SQS
 Fully-managed queuing service
 Loose coupling - high availability, scalibility and reliability
 Uses multiple redundant AZs within a region
 Integrated with IAM
 PCI DSS compliant (can transmit merchant/ card data): payment card industry
data security standard
 Multiple producers and consumers can interact with SQS at the same time
 1 million requests/mont is free
 Message size = 256 KB
 supports JSON, XML, unformatted text
 at-least-once delivery = more than one copy can be delivered.
Types(SQS)
 Standard(default)
 FIFO
o Exactly once processing
o Limited to 300 TPS(transactions per sec)
Visiblity Timeout
 Default is 30 sec
 max is 12 hrs
SQS guide
 When a customer receives and processes a message from a queue, the message
remains in the queue. AWS SQS doesn't automatically delete the message.
 SQS is a distributed system, there's no gurantee that the customer actually
receives the message( for ex, due to connectivity issue, or due to an issue in the
consumer application). Thus, the customer must delete the message from the
queue after receiving and processing it.
 Immediately after a message is received, it remains in the queue. To prevent
other consumers from processing the message again, AWS SQS sets a visibility
timeout, a period of time during which AWS SQS prevents other consumers from
receiving and processing the message.
 The default visibility timeout for a message is 30 seconds. The minimum is 0
seconds. The maximum is 12 hours.
 Can be used with autoscaling groups
 You can create a priority queue (process differently for premium and standard
members)
 Producer =>SNS Topic =>Order Queue/Audit Queue
 can send/receive/delete max 10 message in a request (batch versus single)

1
  Message retention period ( 1 minute to 14 days), default is 4 days
 Delay queues let you postpone the delivery of new message in a queue for the
specific number of seconds
 A dead letter queue is queue that source queues can target for messages that
can't be processed (consumed) successfully.
AWS SQS Long Polling
 Short polling(default) returns immediately even if there are no message in the
queue.
 Long polling eliminates false empty responses by quering all (rather than a
limited number) of the servers.
 Long polling returns message as soon as any message becomes available.
 Change ReceiveMessageWaittimeSeconds(0-20 seconds max)
 can help avoid buring of CPU cycles (forex: when using EC2 to process your
message)
 long polling helps reduce the cost of SQS by eliminating the number of empty
responses (when there are no message available for a ReceiveMessage request)
and false empty responses (when messages are available but aren't included in a
response).
 You can enable long polling for a new or existing queue using the AWS
Management Console or AWS SDK for Java
Benefits of Long Polling
- Eliminate empty responses by allowing Amazon SQS to wait until a message is
available in a queue before sending a response
- Eliminate false empty responses by quering all
- Return message as soon as they become available
Note: You can confirm that a queue is empty when you perform a long poll and
the ApproximateNumberOfMessagesDelayed,
ApproximateNumberOfMessagesNotVisible, and
ApproximateNumberOfMessagesVisible metrics are equal to 0 at least 1 minute
after the producers stop sending messages (when the queue metadata reaches
eventual consistency). For more information, see Available CloudWatch Metrics for
Amazon SQS.
AWS SQS Batch Actions
 To reduce costs or manipulate up to 10 messages with a single action, you can
use the following actions:
o SendMessageBatch
o DeleteMessageBatch
o ChangeMessageVisibilityBatch
 You can take advantage of batch functionality using the Query API, or an AWS
SDK that supports the AWS SQS batch actions.
SQS facts

2
  To select the message to delete, use the ReceiptHandle of the message (not the
MessageID which you receive when you send the message)
 You can use dead letter queues to isolate messages that can't be processed for
later analysis.
 SQS doesn't encrypt messages by default.

SWF
Programming language SDK's available for SWF
 Java, Ruby, .NET and PHP
Can I use AWS Identity and Access Management (IAM) to manage access to
Amazon SWF?
 Yes. You can grant IAM users permission to access Amazon SWF. IAM users can
only access the SWF domains and APIs that you specify.
Maximum number of SWF domains allowed in an AWS account is 100
 You can have a maximum of 10,000 workflow and activity types (in total) that are
either registered or depreciated in each domain.
 You can have a maximum of 100 Amazon SWF domains(including registered and
depreciated domains) in your AWS account.
 gurantees delivery order of message/tasks.
How long can workflow executions run
 Each workflow execution can run for a maximum of 1 year. Each workflow
execution history can grow up to 25,000 events.
In SWF what are the containers called for segregating application resources.
 Domains
o In SWF, you define logical containers called domains for your application
resources. Domains can only be created at the level of your AWS account
and may not be nested
Developing Deciders in Amazon SWF
 A decider is an implementation of the coordination logic of your workflow type
that runs during the execution of your workflow. You can run multiple deciders
for a single workflow type.
True about SWF
 Human can perform an activity task, but not decision task.
Some core benefits of SWF
 One of the major use case of SWF is video encoding
 Centralize the coordination of steps in the application
 Automate the workflow that include human tasks
 Manage the flow of work between application components
 Integrate a range of programs and components

3
  help developers use asynchronous programming in the development of their
applications

STS
STS facts
 STS enables you to request temporary, limited-privilege credentials.
 STS enables users to assume role
 STS generates Federated Credentials for IAM users
 IAM user used to generate Federal User credentials does not have access on S3
bucket
 AWS allows federated user's request only when both the attached policy and the
IAM user policy explicitly allow the federated user to perform the requested
action.
STS AssumeRoleWithSAML
 Returns a set of temporary security credentials for users who have been
authenticated via a SAML authentication response.
 The temporary security credentials returned by this operation consist of an access
key ID, a secret access key, and a security token.
 By default, the temporary security credentials created by AssumeRoleWithSAML
last for one hour. However, you can use the optional DurationSeconds parameter
to specify the duration of your session.

SNS
 The various SNS endpoints for northern virginia:
o US-East-1 (Virginia): http://sns.us-east-1.amazonaws.com
What are appropriate ways for you to provide timely, device-specific instructions
to end users when annoncing this downtime?
 Send a single message, but customize the text in the SNS message field so that
each device gets only the information that is appropriate for them.
What is the format of an Amazon SNS topic?
 Topic names are limited to 256 characters. Alphanumeric characters plus hyphens
(-) and underscores (_) are allowed. Topic names must be unique within an AWS
account. After you delete a topic, you can reuse the topic name.
 When a topic is created, Amazon SNS will assign a unique ARN (Amazon
Resource Name) to the topic
 The following is the ARN for a topic named “mytopic” created by a user with the
AWS account ID “123456789012” and hosted in the US East region:
arn:aws:sns:us-east-1:1234567890123456:mytopic

4
How long will subscription requests remain pending, while waiting to be
confirmed?
 Token included in the confirmation message sent to end-points on a subscription
request are valid for 3 days.
Can a message be deleted after being published?
 No, once a message has been successfully published to a topic, it cannot be
recalled.
Does Amazon SNS provide at-least-once message delivery to Amazon SQS queue?
 Yes, Amazon SNS gurantees that each message is delivered to Amazon SQS at
least once.
Protocols for AWS SNS
 HTTP
 HTTPS
 Email
 Email-JSON
 Amazon SQS
 Application
 AWS Lambda
 SMS
SNS Message Filtering
 to exclude message for someone in group
SNS Message Attribute Items and Validation
 Name: A-Z, a-z, 0-9,underscore(_),hyphen(-), and periods(.). The name must not
start or end with period. It can be 256 character long
 Type: Data types are String, String.Array, Number, and Binary. the data is case-
sensative and can be 256 bytes long
 Value
 message size restriction: 256 KB
 Name, type, and value can't be empty or null.

5
solution_architect_associate
You are hosting an web application in EC2, where number of users is expected to
increase in comming months. Best methods to add elasticity is:
 Set up web application on more EC2 instances and set them behind an ELastic
Load Balancer.
 Set up your web application on more EC2 and use Route 53 to route request
accordingly.
Maximum ratio of IOPS to Volume size is 50:1
 If the volume size is 8 GiB, the maximum IOPS of the volume can be 400.
In different subnet in same VPC, you have 2 Ubuntu instances located. These
instances should be able to communicate with each other, but when you try to
ping from one instance to another, you get a timeout. The route table seem to be
valid and has the entry for the target "local" for your VPC CIDR. The valid reason
for this issue is:
 The Security Group has not been modified to allow the requested traffic.
For more EBS volume curently attached to EC2 instance from one AZ to other.
 Create a snapshot of the volume and then crate a volume from the snapshot in
other AZ.
Retrieve the Pulbic IP addresses assigned to a running instance via the Instance
metadata.
 http://169.254.169.254/latest/meta-data/public-ipv4
Ensure that you are available to recover from a database crash to use the MySQL
RDS in AWS.
 Ensure that you use MyISAM storage engine for MYSQL (Recommended
practice)
o Ensure that automated backup are enabled for RDS. (Not Recommended
practice)
o Ensure that tables in RDS donot get too large. (Not Recommended
practice)
o Ensure that file size for RDS is well under 16TB. (Not Recommended
practice)
Route 53 features
 Registration of Domain Names.
 Routing of internet traffic to domain resources.
 Health check of resources
 (not a feature)- Offloading content to cache locations.
Type of endpoints exposed when working with API gateways.
 HTTPS
Verbs supported with API Gateway

6
  Get, Post, Put, Patch, Delete, Head, Options
Container technologies supported by AWS
 Docker
Provide a single sign-on experience for existing users when used alongside with
AWS Token Service using on-premise application
 SAML 2.0 (Security Assertion Markup Language)
OpenID Connect and OAuth
 used when you want users to sign in using well-known third party identity
provider such as login with Amazon,Fb,Google
Volume check has a status of 'Insufficient data'
 The check on the volume is still in progress (If check fails, the status of volume is
impared)
Constitue the term of 'Golden Image'
 Refers to an AMI which has been constructed from a customized image
When designing a health check for your web application which is hosted behind an
ELB, which of the following health check is ideal to implement
 HTTP health check
Exammple of synchronous replication in AWS
 AWS Multi-AZ RDS
 Amazon RDS automatically creates a primary DB Instance and synchronously
replicates the data to standby instance in a different AZ.
To get reason for your EC2 instance termination from CLI
 aws ec2 describe-instances
Which AWS service should be implemented in multiple AZ for high availability
solutions
 Amazon EC2
 Amazon ELB
If application is processing once in a week and not all messages are picked by
application where application is currently configured on EC2 instance to process
msg in SQS. The issue is:
 Some of message have surpassed the retention period defined for the queue.
 When you create SQS with default options, the message retention period is 4
days, which means message send at start of week will get deleted before it can
be picked by application Queue Attributes
o Default Visibility Timeout = 30 sec.
o Message Retention Period = 4 days.
o Maximum Message Size = 256KB.
You created your own VPC and subnet. You have launched instance in that subnet.
You noticed that the instance is not receiving DNS name. Probable reason is:
 The VPC configuration needs to be changed.

7
  Go to actions and edit DNS Hostnames.
You wanted to have VPC created in AWS which will host an application. The
application will just consist of web and database servers to accessed from the
internet by internet users. The VPC configuration you use is:
 VPC with public and private subnets
 This practice is recommended if you wnat to run a public-facing web application,
while maintaining back-end servers that aren't publicly accessible
Which of the following are true with regards to EBS Volumes
 EBS Volumes are automatically replicated within that zone to prevent data loss
due to failure of any single hardware components.
 After you attach a volume, it appears as a native block device similar to a hard
drive or other physical device.
 An EBS Volume can be attached to only one instance at a time. Not True - EBS
volumes can be attached to any EC2 instance in an AZ.
Your VPC has 3 subnets- 1 private , 2 public. An EC2 instance are in same Security
Group. You created an application which connects to mobile device using custom
port. This application has been rolled out to production and you need to open this
port globally to the Internet.
 Open the port on the existing security group. Your EC2 instances will be able to
communicate over this port immediately.
You are creating a number of EBS volumes for your EC2 instances. You are
concerned on the backups of the EBS volumes. Which of the below is a way to
backup the EBS volumes.
 Write a cronjob that uses the AWS CLI to take a snapshot of production EBS
volumes
 You cacn create a snapshot vial CLI command -create-snapshot
 Even though snapshot are saved incrementally, the snapshot deletion process is
designed so that you only need to retain most recent snapshot in order to restore
the entire volume.
Planning to host static website on EC2 for highly available environment. (Use
below aspects)
 An autoscaling group to recover from EC2 instance failure
 Elastic Load Balancer
 Multiple Availability Zone
What amount of temp space is allocated to you when using lambda function per
invocation
 512 MB (Ephemeral disk capacity/ temp space)
Requirement to create a subnet in an AWS VPC which will host around 20 hosts.
This subnet will be used to host web servers.
 10.0.1.0/27

8
  The availabe IP addresses for this CIDR block is 32 addresses. However, the first
four IP addresses and the last IP addresses in each subnet CIDR blocks are
reserved and cannot be assigned to an instance. This is the reason why in the
explanation part, it has been written as 27 IP addresses are available for
location. Note:
 10.0.1.0 : Network address
 10.0.1.1 : Reserved by AWS
 10.0.1.2 : Reserved by AWS
 10.0.1.3 : Reserved by AWS
 10.0.1.31 : Network Broadcast Address
You run a website which hosts videos and you have 2 types of members premium
fee paying members and free members. All videos uploaded by both your
premium members and free members are processed by a fleet of EC2 instances
which will poll as videos are uploaded. However, you need that your premium fee
paying memebers videos have a higher priority than your free members. How you
design SQS?
 Create 2 SQS queue, one for premium and one for free members. Program your
EC2 fleet to poll the premium queue first and if empty, to then poll your free
members SQS queue
True about SSE
 SSE encrypts message as soon as Amazon SQS receives them
In VPC, you have launched 2 web servers and attached to an internet facing ELB.
Both web servers and ELB are located in public subnets. Yet, you are still not able
to access your web application via ELB.
 You should attatch an Internet gateway to the VPC and route it to the subnet.
You want to ensure that you keep a check on the Active volumes, Active snapshots
and Elastic IP Addresses you use, so that, you don't go beyond the service limit.
Which of the below services can help in this regard?
 AWS Trusted Advisor
o It is online resourse to help you reduce cost, increase performancr and
improve security by optimizing AWS environment.
If you don't know what storage capacity requirements are, text and audio files can
be stored in s3 for storage until its retrieved.
To create a script which could create duplicate resources in another region in case
of disaster.
 Cloud formation
o helps you model and set up your Amazon Web Service resources, so that,
you can spend less time managing those resources and more time
foucusing on your application that runs in AWS.

9
Bastion hosts ar instances in the public subnets which are used as a jump servers
to resources within other subnets.
For reserved instancs which we need to shutdown now but data is still required for
future
 Take a snapshot of EBS volumes and terminate the instance
 Sell the instance on the AWS Reserved Instance Marketplace.
Disaster Recovery Best Solution
 Creates an AMI of the EC2 instances and copy it to another region.
You need to add the security rule so that you can access HTTP traffic to the server.
Add rule to the security group as desired.
 Type HTTP--Protocol TCP--Port Range 80--Source 0.0.0.0/0
 Type HTTP--Protocol TCP--Port Range 80--Source ::/0
 Type SSH--Protocol TCP--Port Range 22--SOurce 0.0.0.0/0
Amazon Redshift uses block size for its columnar storage
 1024KB
Don't save your API credentials. Instead create a role in IAM and assign this role to
an EC2 instance when you first create it.
Which of the following metrics do you need to design a custom cloud watch
metric for, when monitoring the health of your EC2 instances.
 Memory Usage
In order for EC2 Instance to be accessed to Internet. Required is:
 An internet gateway attached to the VPC.
 A public IP address attached to the instance.
 A route entry to the Internet gateway in the Route table.
Kinesis Stream Data records are oly accessible for a default of 24 hours from the
time they are added to a stream. It stores 25 hours by default, upto 168 hours.
A customer wants to track access to their Amazon S3 buckets and also use this
information for their internal security and access audits. Which of the following
will meet customers requirements.
 Enable server access logging for all required Amazon S3 buckets.
To define Network ACL for your subnet, as soon as the rule matches traffic, it's
applied regardless of any higher-nubered rule that may contraidict it.
Which procedure for backing up a relational database on EC2 that is using a set of
RAIDed EBS Volumes for storage minimizes the time during which the database
cannot be written to and results in a consistent backups?
 Supend disk I/0
 Start EBS snapshot of volumes
 Wait for snapshots to complete
 Resume disk
Serices that can be used to store sesson data for session management

10
  RDS, DynamoDB and Elasticache.
24/7 access to support
 Access to the full set of Trusted Advisor Checks (Both Business and
Enterprise)-- But Business ensures the cost is minimum.
Private IP addresses
 In Amazon EC2 classic, the private IP addresses are only returned to Amazon EC2
when the instance is stoppe or terminated.
 In Amazon VPC, an instance retains its private IP addrsses when the instance is
stopped.
 In Amazon EC2 classic, the private IP address is associated exclusively with
instance for its lifetime
 Not true about Private IP Addresses
 In Amazon VPC, an instance doesn't retain its private IP addresses when the
instance is stopped.
Best practices for monitoring EC2 instances
 Create and implement a monitoring plan that collects monitoring data from all of
the parts on your AWS Solution.
 Automate monitoring tasks as much as possible.
 Check the log files on your EC2 instances.
SWF
 makes easier to develop asynchronous and distributed applications by providing
programming model and infrastructure for coordinating distributed components.
SWF and Amazon EC2 are appropriate solution for:
 Managing a multi-step and multi-decision checkout process of an e-commerce
website
 Orchestrating the execution of distributed and auditable business processes.
In case of sudden increase in traffic to keep minimum storage cost where it
doesn't matter if some objects are lost:
 Use S3 Reduce Redundancy Storage(RRS)
EC2 Instance
 There is no charge for public data sets.
 Instance state can be pening, rebooting, running, stopping, stopped, sutting
down an terminated.
 EBS Backed Instance can be start, stop and terminated.
Database Servers
 Shoulnot be exposed to the internet and should reside in private subnets.
Which of the following can be use as origin server in CloudFront?
 A webserver running on EC2
 A webserver running in your own datacenter.
 An Amazon S3 bucket.

11
You have written a Cloud Formation template that creates 1 ELB fronting 2 EC2
instances. Which sector of template should you edit, so that DNS of the load
balancer is rturned upon creation of the stack.
 Outputs
Is it true that EBS can always tolerate AZ failure?
 No, all EBS volumes is stored in single AZ.
 EBS volume has multiple copies but within same AZ.
Configured and Peered 2 VPC-VPC1 in Private Subnet and VPC2 in Public Subnet.
AWS uses Direct Connect to connect to VPC1. Which methods increases fault
tolerance:
 Having a VPN Connection is considered as a backup to a Direct Connect
Connection.
 Establish a hardware VPN over the internet between VPC-1 an the on-premise
network.
 Establish a new AWS Direct Connect Connection and Private virtual interface in
the same AWS region as VPC.
Which of the following benefits does adding Multi-AZ deployment in RDS
provide?
 MultiAZ deployed database can tolerate an AZ failure.
 Make database more availabe during maintenace taskes.
By default, what happens to data when EC2 instance is terminated.
 For EBS backed AMI, any volume attached apart from OS volume is preserved.
 All the snapshots of the EBS volume with operating system is preserved.
 For S3 backed AMI, all the data in the local( ephemeral) hard drive is deleted.
An instance must either have a public or Elastic IP in order to be accessible from
the Internet.
 Elastic IP must be assigned to access Internet
 A public IP address is reachable from the Internet. You can use public IP address
for communication between your Instances and the internet.
 An Elastic IP address is a static IP address designed for dynamic cloud computing.
If your instance doesn't have a public IP address, you can associate an Elasitc IP
address with your instance to enable communication with the Internet.
You have built an AMI. Another AWS account holder wants to use your AMI, but is
not able to access it. What could be the issue?
 AMI needs to be made Public.
What is the basic requirement to login into an EC2 instance on the AWS Cloud.
 Key-pair.
Feature that allows to take backups of EBS Volumes:
 Snapshots.

12
A company wants to host a selection of MongoDB Instances. They are expecting a
high load and want to have low latency.
 I2
 I2 instance are optimized to deliver tens of thousands of low-latency, random I/O
operations per sec.
o Well suited for NoSQL database
o Clustered database
o OLTP System
Which of the below elements can you manage in IAM dashboard.
 Groups
 User
 Roles
 Policies
 Identity Providers
 Accout Settings
 Credential report
 Encryption Keys
Aws Lambda supports code written in
 Node.js, Python, Java and C#
A photo-sharing service stores picture in Amazon(s3) and allows application sign-
in using an OpenID connect-compatible identity provider. Which AWS Security
Token Service approach to temporary access should you use for Amazon S3
operations.
 Web Identity Federation (sign in with fb, google, etc.)
If resources needs to be seperated and a seperate government model is required
for each section of resources, then its better to have seperate AWS account for
each division
 Enable AWS cross account access for all corporate IT administrators in each child
account.
 Use AWS consolidated billing by creating AWS Organizations to link the divson's
account to a parent corporate account.
SQS helps to facilitate horizontal scaling and encoding tasks
In the event of an unplanned outage of your primary DB, AWS RDS automatically
switches over to the secondary. In such case which record in Route 53 is changed
 CNAME
Failover is automatically handled by Amazon RDS so that you can reserve database
operations as quickly as possible without administrative intervation. When failing
over, RDS simply flips the cannonical name record (CNAME) for your DB instance.
Regarding tagging, you cannot tag placement groups
Monitoring data available in Amazon EBS Volumes without any charge

13
  Basic: Data is available automatically in 5 mins.
 Detailed: Provisioned IOPS SSD (io1) volumes automatically send one-minute
metrics to CloudWatch.
Major advantage of having VPN in AWS
 You can connect to cloud resources to on-premise data centers using VPN
connections.

An administrator runs a highly available application in AWS. A file storage layer is

needed that can share between instances and scale the platform more easily.
Which AWS service can perform this action?
 Amazon EFS
 Amazon EFS provides scalable file storage for use with Amazon EC2. You can
create an EFS file system and configure your instance to mount the file system.
The EFS file system can be used as a common data source for workloads and
applications running on multiple instances.
While reviewing the Auto Scaling events for your application, you notice that your
application is scaling up and down multiple times in same hour. What design
choice could you make to optimize costs while preserving elasticity?
 Modify the autoscaling cool down timers
 Modify the cloudwatch alarm period that triggers your auto scaling down policy.
A company hosts a popular web application that connects to an Amazon RDS
MySQL DB instance running in a private VPC subnet created with default ACL
settings. The web servers must be accessible only to the customers on an SSL
connection and the database must only be accessible to web servers in a public
subnet. Which solution meets these requirements without impacting other
running applications>
 Create a Web server Security group that allows HTTP port 443 inbound traffic
from anywhere (0.0.0.0/0) and apply it to the Web Servers.
 Create a DB server Security group allows MySQL port 3306 inbound and specify
the source as the Web Server security group.
(Recommended Rules)
 For Web ServerSG:
o Source: 0.0.0.0/0 Protocol: TCP Port Range:80 Allow inbound HTTP access
to the web servers from any IPv4 address
o Source: 0.0.0.0/0 Protocol: TCP Port Range:443 Allow inbound HTTP access
to the web servers from any IPv4 address
o Note: if you have one option to select: Ensure the web server security
group which allows MySQL port 3306 inbound traffic from anywhere
(0.0.0.0/0) and apply it to the web servers.
 For DBServerSG:

14
 o Source: The ID of your webserver SG Protocol: TCP PortRange: 1433 Allow
inbound Microsoft SQL Server access from the web services associated
with the WebServer SG security group
o Source: The ID of your webserver SG Protocol: TCP PortRange: 3306 Allow
inbound MySQL Server access from the web services associated with the
WebServer SG security group
Amazon Inspector
 is an automated security assessment service that helps improve the security and
compliance of application deployed on AWS. It automatically assesses
applications for vulnerabilities or deviations from best practices.

15
VPC
You are working as an architect in your organization. You have peered VPC A as
requester and VPC B as accepter and both VPCs can communicate with each other.
Now you want resources in both your VPCs to reach out to internet but anyone on
internet should not be able to reach resources within VPC.
 Create a NAT Gateways on both VPCs and configure routes in respective route
with NAT Gateway.
Your organization already had a VPC(10.10.0.0/16)setup with one
public(10.10.0.0/24) and two private subnets- private subnet 1(10.10.2.0/24) and
private subnet 2 (10.10.3.0/24). Public subnet is having main route and two
private subnets having two different route tables respectively. AWS sysops team
reports a problem stating the EC2 instance in private subnet 1 cannot
communicate to RDS MySQL database which is on private 2. What are possible
reasons.
 RDS security group inbound rule is incorrectly configured with 10.10.1.0/24
instead of 10.10.2.0/24
 10.10.3.0/24 subnet's NACL is modified and it does not have an inbound ALLOW
rule set for ALL Traffic.
A new VPC with CIDR range 10.10.0.0/16 has been setup. Internet Gateway and
new route table has been created and a new route has been added with internet
gateway as target and 0.0.0.0/0 as destination. Two subnets have been created,
one for public and one for private. A new linux EC2 instance has been launched on
public subnet with Auto-assign Public IP option enabled. But when trying to SSH
to the new machine, connection is getting failed. What could be the reason?
 Both the subnets are associated with Main route table, no subnet is explicitly
associated with new route table which has internet gateway route.
You are an architect in your organization. Your organization would want to upload
files to AWS S3 bucket privately through AWS VPC. In an existing VPC, you already
have a subnet and route table which contains a route to NAT Gateway. You have
created VPC Endpoint for S3 and added same route table. But in AWS S3 server
logs you noticed that the request to S3 bucket from an EC2 instance within the
subnet associated with above route table are going to internet through NAT
Gateway. What could be causing this situation?
 AWS S3 bucket is in different region than the VPC
o because endpoints are supported within the same region only. You cannot
create an endpoint between a VPC and a service in a different region.
o Note: VPC Endpoint always takes precedence over NAT Gateway or
Internet Gateway. In the absence of VPC endpoint, requests to S3 are

16
 routed to NAT Gateway or Internet Gateway based on their existence in
route tables.
Your organization has an existing VPC with an AWS S3 VPC endpoint created and
serving certain S3 buckets. You were asked to create a new S3 bucket and reuse
existing VPC endpoint to route requests to new S3 bucket. However, after creating
a new S3 bucket and sending requests from an EC2 instance via VPC endpoint, you
found the request are failing with "Access Denied" error. What could be the issue?
 VPC endpoint contains a policy, currently restricted to certain S3 buckets and
does not contain new S3 bucket.
 AWS IAM role/user does not have access to new S3 bucket.
o VPC endpoint has a policy which by default allows all actions on all S3
buckets. We can restrict access to certain S3 buckets and certain actions
on this policy. In such cases, for accessing any new buckets or for any new
instances, VPC endpoint policy needs to be modified accordingly.
If instances in private subnet cannot access internet
 Check that you've configured your route tables correctly.
o The NAT gateway must be in public subnet with a route table that routes
internet traffic to an internet gateway.
o Your instances must be in a private subnet with a route table that routes
internet traffic to the NAT gateway.
o Check that there are no other route table entries that route all or part of
the internet traffic to another device instead of the NAT gateway.
 Ensure that your security group rules for your private instances allow outbound
internet traffic
o The NAT gateway itself allows all outbound traffic and traffic received in
response to an outbound request ( it is therefore stateful)
Your organization is planning to develop a web application containing a Web
Server and an RDS Instance. This application will be accessed from internet. Your
organization asked you to architect the solution on AWS. Your existing AWS
environment already has a VPC with private subnet and public subnet which has a
route to internet through Internet Gateway. What would be the best and cost
effective solution you would provide?
 Web server EC2 in public Subnet with Elastic IP, RDS instance in private subnet.
You are building a fleet of EC2 linux instances in your AWS environment for
managing scheduled heavy work loads and write the data into AWS Redshift.
Developers and Administrators in your organization need to login to these EC2
machines to develop, fix, deploy and manage the work loads only within your
organization network. What would be secure and cost-effective architecture you
would provide?

17
 AWS VPN connection from your organization to AWS VPC, a bastion host in VPN
enabled subnet with secure SSH key to login, EC2 instances in private subnet with
secure SSH keys to login, Redshift in private subnet. (because instances should be
accessed from organization network)
You have a bastion host EC2 instance on AWS VPC public subnet. You would want
to SSH to EC2 instance. What would be the secure and minimal configuration you
need inorder for SSH request to work?
 Allow port 22 and SSH protocol on Security Group Inbound, Network ACL
Inbound, Network ACL inbound for your IP address

#
EXAM

18
NOTE
S
--by robin

#### Total Cost of Ownership

* Invest in large capital expenditures to reduce TCO
* Only pay for running servers (Consideration for migrating server)
* The ability to pay as you go
* No upfront cost
* Pay-as-you-go model
* Manage AWS Organizations
* Cost Explorer
* TCO Calculator
* Manage Marketplace
* Enables Customers to find, buy and immediately start software solution in their AWS Enviro
* Support Plans
* Basic, Developer, Business, Enterprise

#### Trusted Advisor

Like your customized cloud expert, AWS Trusted advisor analyzes your AWS environment and pro
provision your resources following AWS best practices. Trusted Advisor is AWS service which
* Cost Optimization
* Fault Tolerance
* Service Limits
* Performance
* Security

#### Database
* Database Migration Sytem
* Relational Database Service(RDS)
* gives you option of mySQL, PostgreSQL, MicrosoftSQL Server, Oracle.
* Dynamo DB
* noSQL non relational database, serverless and fully managed.
* Amazon RedShift
* Data Warehouse

#### Security

19
* DDOS Prevention
* AWS WAF(Web Application Firewall), AWS Shield, Cloudfront and Load Balancer
* Penetration Testing
* Get permissions from AWS first. It can be done on your infrastructure only.

#### CloudTrial

* Records events within region in AWS

* Can identify the user that made the API call when Amazon EC2 was terminated.
* helps in governance, complicance, and risk auditing in AWS

#### Acceptabe Use Policy

* Describes Prohibited Actions
#### CloudFront
* Uses AWS Edge Location for content caching.
* Helps in streaming the content in an effecient manner across the globe (ex. deployment of
#### Edge Location
* Distributes content to users
* Cache Common Responses
* Used in conjunction with Cloudfront services
* ##### But doen't distribute load across multiple resources

## Key Points
##### Design for failure and nothing will fail
* Deployment of an application in multiple AZ
##### Benefit of running an application across 2 AZ's
* Increases the availability of an application
##### Web-based user interface
* AWS Mgmt Console
##### Forcast AWS Spending
* AWS Cost Explorer
##### If 90-100% utilization of EC2 instance over a year (with least cost)
* Reserved Instance
##### Secure EC2 Instances
* Usage of Security Group
* Usage of Network Access Control List(NACL)
##### Import Data into Amazon

20
* AWS Glacier API
* AWS Glacier SDK
* AWS S3 lifecycle policies
##### Access to Support Concierge
* Enterprise
##### Note
* AWS is a Cloud Service Provider(CSP) that doesn't direclty store, transmit or process any
own card data environment(CDE) that can store, transmit or process cardholder data using AW
* If database is going to be used for a minimum of a year, then it is better to get Reserved
you can get better discount.
##### Deploy an application that needs to be PCI Compliant
* Choose AWS Service which are PCI Compliant
* Ensure the right steps are taken during application development for PCI Compliant
##### Feature of RDS that allows for data redundancies across regions
* Creating Read Replicas
* Ensures data is replicated to another region
##### Host self-managed database in AWS
* Hosting a database in an EC2 Instance
* which means you want complete control over the database engine and the underlying infrastr
##### Compatibe MySQL database which has the ability to grow in storage size on its own
* Aurora
* is a fully managed, MySQL and PostgreSQl-compatible, relational database engine.
##### Elasticity
* ability of an application to scale up and scale down
* diverting traffic to instances based on the demand
* diverting traffic to instances with the least load
##### Link Account
* Consolidated Billing
* AWS Organization
* Using AWS Organizations, you can create **Service Control Policies** (SCPs) that centrally
##### DDOS Protection
* AWS Shield
* CloudFront
##### SQS
* decouple resource hosted on cloud
* offers a reliable, highly-scalable hosted queue for storing msg as they travel between app
##### Disaster Recovery
* Route 53
##### Manage Infrastructure a code
* AWS CLoudformation
##### Disaster Recovery
* Backup and Restore (highest downtime)
* Pilot light

21
* Describe a DR scenario in which a minimal version of an environment is always running in t
* Warm Standby
* Multi Site (least downtime)
##### For jobs that can be interrupted and resumed at any time
* Spot (for periodically processing large volumes of data)
* Spot instances are a cost-effective choice if you can be flexible about when your applicat
* Well suited for data analysis, batch jobs, optional task, background processing.
##### Elastic Beanstalk
* allows developers to easily deploy and manage application in the cloud
* easy-to-use service for deploying and scaling web application and services developed with
* Java, .Net, PHP, Node.js, Python, Ruby, Go and Docker with familiar Servers such as Apache
##### CloudFront
* is a content deliverey service using global network of edge location.
##### AWS Direct Connect
* Easy to establish network connection from your premises to AWS
* You can establish private connection between AWS and your datacenter
* You can connect VPC to remote network by using VPN connection
##### EC2
* Secure, resizable compute capacity
* Equivalent to hosting virtual server on an on-premise location
* Allows customer to retain full administrative privilages of underlying virtual infrastruct

##### Preventing DDoS attack from EC2

* Usage of NACL
* Usage of Security Groups
##### AMI
* You can launch as many Instances from AMI
* Virtual Server in a cloud
* Spin up EC2 Instances on AWS Cloud
##### AWS Console cannot be used to upload data onto Glacier. The console can only be used t
##### Option of lifecycle policies that can be used to move objects to archieve storage
* Amazon S3
##### Features of Amazon RDS for better availability of database
* Multi-AZ
* Read-Replica
##### Transfer petabytes of data from on-premise location to AWS Cloud
* AWS Snowball
##### Autoscaling
* Scaling up resources on Demand
* helps to base the number of resources on the demand of application or users
##### To prevent data loss, EBS Volume replicates in same availability zone
##### IAM Roles

22
* Secure communication between EC2 Instance and S3
* An application deployed on an EC2 Instance to write data to S3 in secure manner.
##### AWS Inspector
* Analyzes EC2 instances against predefined security templates to check for vulnerabilities
##### EMR
* off-hand large number of data sets to be processed
##### Principle designing Cloud Based System
* Assume everything will fail
* Build loosely-coupled components
* If one computer does fail, the entire system doesn't fail
##### Amount of Storage that can be stored in S3
* Virtually unlimited storage (unlimited amount of data)
* But max size of s3 objects = 5TB & maximum buckets = 100
##### AWS Config
* AWS Config is a service that enables you to assess, audit, and evaluate the configurations
resource configurations and allows you to automate the evaluation of recorded configuration
##### If Application is critical and must be globally availabe at all times
* Deployment to multiple Regions (prevention for disaster recovery)
##### AWS Shield Advance
* for higher level of protection (provides expanded DDoS attack protection)
##### Allows you to carve out a portion of AWS CLoud
* AWS VPC (network that you'd operate in your own data center, with the benefits of using th
##### Fast, easy and secure transfer from client to S3 bucket
* S3 Transfer Acceleration
##### Ec2 Costing determination
* Instance Type
* AMI Type
* Region
##### Amazon Glacier
* Infrequently accessed data
* Data archives
##### - An AZ is an isolated location within an AWS region; an edge location will deliver ca
##### - You might set up NACL with rules similar to your security groups in order to add an
* NACL is a feature associated with a subnet in VPC to protect against incomming traffic req
##### document that provides a formal statement of (one or more permissions)
* Policy
* Policy contains ( Resource, Action, Effect and Principal)
* JSON document that specifies what user can do on AWS
##### Security group
* Acts as a firewall that controls the traffic allowed to reach one or more instances
* When you launch a VPC, you can assign the instance upto 5 security groups
* ##### Users can only SSH into EC2 instances that are attached to security group
##### - When you think of cost effectiveness, you can either have to choose Spot or Reserved

23
 spot instance
##### Amazon Elasticache (improves response time)
* Web service that makes it easy to deploy, operate and scale an in-memory data store or cac
##### 2 tier architecture
* interface runs on a client
* data layer or data structure gets stored in server
##### To run secondary RDS if primary fails
* AWS Multi-AZ

##### - In case of an infrastructure failure, Amazon RDS performs an automatic failover to t

can resume database operations as soon as the failover is complete.

##### CloudWatch Logs

* Aggregate Logs from EC2 instance

##### S3 Costs
* The total size of GB of all objects stored
* Total storage class used for objects stored --(cost doesn't depend on number of buckets)

##### To provide connection from on-premise infrastructure to resources hosted in AWS Cloud
* AWS Direct Connect
* AWS VPN

##### Snapshot
* is equivalent to AMI. You can launch as many instance from the AMI as you need.
##### Secure way of using AWS API to call AWS services from EC2 instances
* IAM Roles
##### Host self managed database in AWS
* Using database on an EC2 Instance
##### Responsibility of customers when ensuring that data on EBS volume is left safe
* Creating EBS Snapshots
##### CloudWatch
* is a monitoring service. It helps to collect and track metrics, collect and monitor log fi
resources.
##### Application that must be globally available all the times
* Deployment to multiple regions (geographic locations)

24
Storage

Object level Storage

 S3 and Glacier
o S3 for high durability and availability
o In case of disaster recovery, you need to enable Cross Region Replication.
o Glaciar is used to archieve storage. Cost effective option. retrieval time is
generally 3-5 hours.
 Expedited retrieval-minutes-Pay extra.
o How to transfer data to Glacier
 API
 Lifecycle policies for S3
Block Level Storage
 Elastic Block Storage Volumes: don't have the save level of durability as S3
 In an AZ, they are replicated to multiple devices. But if the AZ fails, the volume is not
usable.
o You can safeguard your data by: *Creating EBS Snapshots and copying it to
another region for disaster recovery purposes
EBS Voulmes types:
 General Purpose SSD
o If you have EC2 Instance, web server and predictable workload,this option is cost
effective volume type
 Provisioned IOPS
o If you have EC2 instance, database server, resource intensive, high number of
input and output operations

25
  In database server, select statement is for (Read opearation-- search for
data ) and Update, Insert and Delete statements are (Write Opeartion)
 As database needs to access volumes for read and write operations, I/O
Controller(device)- takes a lot of strain for these operations. If the reads
and writes are too much the controller just starts lagging behind.
 Throughput Optimized HDD
o If you have EC2 instance, Processing server, Processing videos for files with large
size, streaming videos or high throuhput.
 Cost effective than Provisioned IOPS
 400 MiB/s
 Cold HDD
o Infrequently accessed storage

 If you have high frequency for 2 months, you can even store the videos for 2 months on
Throughput Optimized HDD. After 2 months, have a script which transfers the videos to
Cold HDD.
Databases
 AWS RDS (Oracle, Microsoft SQL Server, MySQL, PostgreSQL, MariaDB)
o Use Multi-AZ RDS for high availability. If the primary DB fails, AWS will
automatically switch your endpoint to the standby (Secondary DB). You don't
have access to the standby (only AWS does).
o For automated backups of RDS, copy the snapshots to the another region.
o AWS RDS server (Read Replica) is available for MySQL, PostgreSQL and MariaDB.
o you have asynchronous replication from primary DB to secondary DB. You now
have access to secondary DB because you are given another endpoint.
o Use read replicas when you have performance problems on the primary DB. Use
when your primary DB is getting a lot of hits.
 DynamoDB
o Fully managed NoSQL database.
o You also have indexes- global and local secondary indexes.
o Highly available and durable
o Infrastructure scales automatically based on demand
o Before creation of the table you can choose autoscaling for read and write
throuhputs.
 Aurora(MySQL and PostgreSQL compatible)
o MySQL workload. You want a faster MySQL engine. Better performance. Fully
managed. Your IT management doen't have the time and resources for
maintenance. High Availability. Low latency
 Redshift
o Columnar database: When you have aggregation for your data
o Data warehouse/ Petabyte database
o Data in redshift is stored column wise. SQLoriented databases-- Data is stored on
disks row wise. Makes it easier to search.

26
 o You can use Business Intelligence tools with the data.
o Database recovery- You can enable cross region snapshots. You can restore the
data into a new cluster with the snapshot data.
Compute
Instance pricing
 On-Demand Instances
o Good for development and test environments. When you want instances for a
certain period of time.
 Spot Instances
o Batch processing activities. Activities that can survive an interruption.
 Reserved Instances
o When you know you need servers 24*7 and all throughout the year, you can save
cost by purchasing Reserved capacity.
 Dedicated Instances
o Runs on hardware that is dedicated for the customer. But if the customer has
multiple AWS accounts, then instances can share the same hardware.
 Dedicated Hosts- You have control over the physical server. If you have a third party
application wherein the licensing is based on the number of cores. Of if your security
policy mandes that you cannot share infrastructure.
Serverless Compute
 AWS Lambda
o You don't have to manage the infrastructure
o only get billed for how much you use.
o Easy to port existing code and save on costs.
o Normally used in conjunction with API Gateway
o You can create API's which can be invoked by customers.
o The API'can then call Lambda function
Elastic Container Services
* Used for orchestration
* Instead of you installing orchestration services like Kubernetes on EC2, let the
ECS manage it for you.
* You define type that gets the images
* Deploys the containers on Instances
* You can then access via a Service
* You also have autoscaling capabilities
Elasticity and Scalability
 For Elasticity- Use a load balancer
 For scalability use an AutoScaling Group
 You can launch instances in an AutoScaling group based on different metrics.
 In addition to the normal metrics such as CPU utilization, you can define your custom
metrics.
Autoscaling Policies
 Scheduled Scaling Policy

27
 o Promotional event- You need to ensure infrastructure is scaled before the event
o Team that experiences performance issues only at a certain time- Heavy
utilization early in the morning.
 Dynamic Scaling Policy
o Scale dynamically based on metrics
o If the CPU utilization is high
o Based on custom metrics
 Cool down timing period
o 3 servers
o Performance starts taking a hit. You have a cloudwatch alarm that gets triggered
at 9:00
o Autoscaling spins up 2 more servers. Total of 5 servers.
o Now new software needs to be installed. Scripts need to run to ensure the new
servers can start accepting requests. This takes 10 minutes.
o But let's say in 5 minutes, again your cloudwatch alarms have been triggered and
Autoscaling again starts spinning up new servers.
o So you have not allowed for the current infrastructure of 5 serveres to settle
down.
o Cool down timer- Increase the timing period to allow more time for the
infrastructure to settle down. The cloudwatch alarms if triggered can be ignored
during this period.
SQS Queue
 Front end server-->SQS Queue-->AutoScaling Group Instances
 can trigger scaling based on the number of message in the queue
 so if the number of message are going beyond a point, then do a scale up operation
ELastiCache
 Front end server-->ElastiCache-->Database Server
 Used when you want to cache frequently used data such as queries
 Add ElastiCache in front of Database Server
Security Practices
AWS CLoudTrial
 Used to monitor all API activity in an AWS Account.
 Its good for compliance purpose
 Also if you suspect any malicious activity in your account, check the Cloudtrial logs to see
if an irregular API activity has been fired
 Enable Cloudtrial for all regions. All future regions also get covered.
IAM
 Use access with least privilege
 Use Multi-Factor Authentication
 Change the password policy.
 Disable the root access keys
 Buckets in S3
o Manage via Bucket Policy

28
 o Use Bucket policy when giving access to external accounts
o Use Pre-signed URL's if you don't want to give public access to the bucket. And
you want a selection of users to get access to the objects.

 IAM ROles
o Used for secure access to resources
o If you have an application on an EC2 Instance which needs to access a service like
S3 or DynamoDB, then attach an IAM Role to the EC2 Instance with that specific
privilege
o Access Keys are OK to use during development time, but not in deployment or
production
o Even when using a Lambda function, if it accesses an external resource like
DynamoDB or S3, ensure an IAM Role is attached to the Lambda function.
Network Security
 Nat instance or Nat gateway is used to allow instances in a private subnet to access the
Internet.
 If you want instances in a private subnet to access public resources like DynamoDB, S3,
KMS, you have to use VPC Endpoints.
 VPC Gateway Endpoints- S3 and DynamoDB
 VPC Interface Endpoints- KMS
 For KMS, Create a VPC Endpoint, attach it to the VPC and make the instances in the
private subnet access the resources via the endpoint.
 For Redshift, if you want the LOAD or COPY process to be private via a VPC, then enable
Redshift Enhanced VPC Routing.
 Monitoring IP addresses of traffic into your VPC- Use VPC Flow Logs
 Use a bastion host for administrators to administer instances in the private subnet.
Security for you VPC
Security Groups
 Used to control traffic to your EC2 Instances
 By default all traffic is denied
Network ACL's
 When you want to limit traffic for a subnet
 Remember this will effect all instances in that subnet
 When you have malicious traffic from a set of EC2 Instances. Deny traffic based on the IP
addresses.
NAT
 When would you use a NAT gateway
o When your NAT Instace is becoming a bottleneck.
o When you want completely managed service
 When would you want to use a NAT instance
o If you want to use the server as a proxy server as well
 High Availability for NAT Instance

29
 o Create an Autoscaling Group
o Have Multiple NAT instances in multiple AZ
 High Availability for NAT Gateway
o Have Multiple NAT gateway in multiple AZ
Encryption
EBS Volumes
 You can Enable Encryption for EBS Volumes using the Customer Key defined in the KMS
service.
 This needs to be done during the Volume creation time
 If there is already an existing volume, you can use Operating System Level tools like
BitLocker for Windows for Encryption
AWS RDS
 You can also enable Encryption of the AWS Relational database service, Aurora. This will
automatically also encrypt all logs and snapshots.
DynamoDB
 You can also enable DynamoDB tables at table creation time
S3
 Server Side Encryption
o Using AWS Managed Keys
o Using KMS Keys
o Using Customer Managed Keys when uploading the object.
 Client Side Encryption
Key Mamagement Service
 Fully managed Key Service from AWS
 You can define Customer master keys
 You can then use the keys for encryption
Cloud HSM
 This when you want complete control of your keys
 Sometimes required from a compliance perspective
 It's a hardware device that can get accees via an IP through your VPC.
Performance for Services
 DynamoDB acceleration (DAX) -- In-memory cache for DynamoDB. Fully managed.
Millions requests per second for DynamoDB and you want to reduce latency to access to
the DynamoDB table.
 Amazon S3
o Recommended practice if you're workload if you have more that 100 requests per
second for objects in an S3 bucket.
o Amazon S3 uses the key name to store the objects in multiple partitions. It then
creates an index based on this.
o For better performance, it is better that the keys are distributed across multiple
partitions (use a random hash prefix as part of the key during the upload process.
Network

30
  Better Network Throughput - Use EC2 Instances with Enhanced Networking
 Place Instances in a placement group for low latency between the instances. But the
instances must be in the same AZ
 Use EC2 Instances with the Instance type of EBS Optimized.
 For connections between On-premise and AWS (hybrid IT Connectivity)- Use AWS Direct
Connect
 If you want secure connections between on-premise and AWS-- Use AWS Managged
VPN Connections
 For connections between On-premise and AWS with both low latency and Encryption--
First, create a Direct Connect Connection. Then use AWS VPN over the Direct Connect
Connection.
Operational Excellence
 Always looks towards ease of use and Automation
o Microservices based application with orchestration-- Choose the Elastic Container
Service
o Quickly provisioning development environments-- Use Elastic Beanstalk --Can
also create custom Docker environments.
o If you want to automate the provisioning of infrastructure -- Use Cloudformation
o If you have configuration tools such as Chef and you want to use AWS, use the
AWS OpsWork service.
 Use Autoscaling for managing scalability
o Web Tier
o Application Tier
o Proxy Servers
o NAT Instances
o Put the right conditions for Scale In and Scale Out
 Managing Deployemts
o Blue Green Deployments--Use Route 53 for managing traffic--Use the Weighted
Routing Policy
o Working with failure in mind--Using Route 53 failover policy to direct users to a
static web site in S3.
o If you have users across the globe and you have a web application: Use
Cloudfront to distribute the traffic.
 AWS Lambda for automation
o Use case- used along with AWS Cloudwatch events to carry out tasks. If you see
an instance has been compromised, you can use the events and Lambda to
terminate the instance
o Use case- storing objects in S3. The metadata for the object needs to be stored in
DynamoDB. Add an S3 event, call a Lambda function. The function will read the
object metadata and insert the data into DynamoDB.

31
lambda
Min memory = 128 MB, Max memory = 3008 MB, can update in 64 MB increment

 If the function reaches the maximum configuration, it will throw an error message
(process exited before completing request)

Lambda function is set to run in a private VPC without NAT Gateway or VPC
Endpoint.

 Lambda function can run within a private VPC with the resources allocated inside
the subnet provided during configuration.

For the lambda function to access S3 service endpoint from within private VPC,
there should be a NAT Gateway or S3 VPC Endpoint configured in the route table
associated within a subnet which was choosen during Lambda function setup. If
not, the request would get timed out.

Services not supported by Lambda:

 AWS CodePipeline
 AWS OpsWorks

32
AWS Lambda Dead Letter Queues builds upon the concept by enabling Lambda
functions to be configured with an SQS queue or SNS topic as a destination to
which the Lambda service can send information about an asynchronous request
when processing fails.

AWS Lambda runs your function code within a VPC by default. However, to enable
your Lambda function to access resources inside your private VPC, you must
provide additional VPC-specific configuration information that includes VPC
subnet IDs and security group IDs. AWS Lambda uses this information to set up
elastic network interfaces (ENIs) that enable your function to connect securely to
other resources within your private VPC.

 If you get connection failed while connecting RDS from lambda, may be :
o Lambda function is running in "no VPC" network mode.
o Lambda is running in same VPC as RDS, but RDS instance security group is
not allowing connections from Lambda subnet range.

Customers responsibility with respect to AWS Lambda service?

 Lambda function code.

 Providing accesss to AWS resources which triggers Lambda function.

Supported language

 Node.js, Java, Go, C#, and Python

Ephemeral disk capacity("/tmp" space) is 512 MB. Potential use case of Lambda is:

 Periodically check the log files for errors in Cloudwatch or CloudTrial and send
out notification through SNS.
 Scheduled job to generate AWS resource usage reports based on certain tags.
 A website with highly scalable backend layer which will persist data into RDS or
DynamoDB.

AWSLambdaKinesisExecutionRole

 Grants permission for Amazon Kinesis Data Streams actions, and CloudWatch
Logs actions. If you are writting a Lambda function to process Kinesis stream
events you can attach this permission policy. ex:

33
 o {
o "Version": "2012-10-17"
o "Statement": [
o {
o "Effect": "Allow",
o "Action": [
o "kinesis:DescribeStream",
o "kinesis:GetRecords",
o "kinesis:GetShardIterator",
o "kinesis:ListStreams",
o "logs:CreateLogGroup",
o "logs:CreateLogStream",
o "logs:PutLogEvents"
o ],
o "Resource":"*"
o }
o ]
o }
o

Note: Lambda execution role policy does not have access to create CloudWatch
logs.

When configuring AWS SQS as event source for AWS Lambda function, what is the
maximum batch size supported by AWS SQS for ReceiveMessage call?

 10

Use constant values in Cloudwatch event triggered Lambda functions

34
Lambda Invoke API

 You can invoke a Lambda function using a custom event through AWS Lambda's
invoke API. Only the function's owner or another AWS account that the owner
has granted permission can invoke the function.
 If you are using the versioning feature, you can invoke the specific function
version by providing function version or alias name that is pointing to the
function version using the Qualifier parameter in the request. If you don't provide
the Qualifier parameter, the $Latest version of Lambda is invoked.
 If you use RequestResponse (synchronous) invocation option, the function will be
invoked only once.
 If you use Event (asynchronous) invocation option, the function will be invoked at
least once in response to an event and the function will be invoked at least once
in response to the event and the fuction must be idempotent to handle this.
 Lambda Invoke API is useful scenario if you are trying to migrate from on-
premise to AWS while running processes based on triggers from other
application.

Amazon CloudFront events can be used to trigger function (AWS Lambda@edge)

35
Do AWS lambda function remain available when I change my code or its
configuration?

 Yes. When you update a Lambda function, there will be a brief window of time,
typically less than a minute, when requests could be served by either the old or
new version of your function.

Pull based services supported by Lambda

 AWS Kinesis
 Amazon DynamoDB
 Amazon SQS

36
If you have two account, add permission on the account which would trigger
Lambda on another account through AWS CLI

 You can also grant cross-account permissions using the function policy. For
example, if a user-defined application and the Lambda function it invokes belong
to the same AWS account, you don't need to grant explicit permissions.

Lambda dead-letter queue pushes unprocessed events to:

 AWS SQS
 AWS SNS

37
Storing Sensitive Information

 The lambda console provides encryption helpers that leverage AWS KMS to store
sensitive information as Ciphertext.
 The lambda console also provides decryption helper code to decrypt that
information for use in your in Lambda function code.

Which of the following actions are required by Lambda execution role in order to
write the logs into AWS CloudWatch?

 logs:CreateLogGroup
 logs:CreateLogStream
 logs:PutLogEvents

AWS/Lambda namespaces includes:

 Invocations
 Errors
 Dead Letter Errors
 Duration
 Throttles
 IteratorAge
 ConcurrentExecutions
 UnreservedConcurrentExecutions

If you are specified criteria like the code should not run if the version is $LATEST

 getFunctionVersion from context object

o If an alias is used to invoke the function, then getFunctionVersion will be
the version the alias points to.
 Use AWS_LAMBDA_FUNCTION_VERSION environment variable

Lambda invocation

38
39