AWS CSAA Key Words Study Note
I mentioned AWS CSAA Key Words note in How I Passed AWS CSAA in 3 Months. The Key Words note is a quick cheat sheet to review before the exam. It is based on the practices from my study and the questions from mock exams. So it is not covered all AWS terms. Here is your reference to build your own Key Words note:
Security group vs. Access Control List (ACL)
| Security Group | Network ACL |
| Operates at the instance level (first layer of defense) | Operates at the subnet level (second layer of defense) |
| Supports allow rules only | Supports allow rules and deny rules |
| Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless: Return traffic must be explicitly allowed by rules |
| We evaluate all rules before deciding whether to allow traffic | We process rules in number order when deciding whether to allow traffic |
| Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on | Automatically applies to all instances in the subnets it’s associated with (backup layer of defense, so you don’t have to rely on someone specifying the security group) |
Review details and diagram
AWS Virtual Private Cloud
S3
- S3-Standard – Durability of 99.999999999% and availability of 99.99%.
- S3-IA (Infrequently Accessed) – Durability of 99.999999999% and availability of 99.99%.
- S3-RRS (Reduced Redundancy Storage) – Durability and availability of 99.99%. Lost data is OK to recreate.
- Glacier – For archival only. Takes 3 – 5 hours to restore files. The durability of 99.999999999%.
- AWS Import/Export accelerates moving large amounts of data into and out of AWS using portable storage devices for transport. But no export on Glacier.
- S3 encryption can be done on Server Side S3 Managed Keys (SSE – S3), KMS Managed Keys (SSE – KMS, customer-provided keys (SSE-C); and done on client side.
AWS Databases
| Scenarios | Types |
| A managed relational database in the cloud that you can launch in minutes with just a few clicks. | RDS |
| A fully managed MySQL compatible relational database with 5X performance and enterprise level features. | Aurora |
| A fully managed NoSQL database that offers extremely fast performance, seamless scalability and reliability. It supports both document and key-value store models. | DynamoDB |
| A fast, fully managed, petabyte-scale data warehouse at less than a tenth the cost of traditional solutions. The optimum query performance is through a combination of massively parallel processing, columnar data storage, and very efficient, targeted data compression encoding schemes. | Redshift |
EC2 Instance Purchasing Options
- On-Demand Instances – Pay, by the second, for the instances that you launch.
- Reserved Instances – Purchase, at a significant discount, instances that are always available, for a term from one to three years.
- Scheduled Instances – Purchase instances that are always available on the specified recurring schedule, for a one-year term.
- Spot Instances – Bid price which can lower costs significantly. (Compare this option vs. Reserved/On-demand in the exam)
- Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs.
- Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware.
Management Tools
- Cloud Watch – Monitor performance of AWS environment – standard infrastructure metrics.
- Cloud Trail – Audit usage of AWS Resources (AWS API calls into log files)
- Trusted Advisor – Provides best practices (or checks) in four categories: cost optimization, security, fault tolerance, and performance improvement.
- Cloud Formation – Infrastructure template to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.
Route 53
Choose Alias record over CNAME record on ELB.
Routing policy:
- Simple routing policy – default.
- Failover routing policy – Use when you want to configure active-passive failover.
- Geolocation routing policy – Use when you want to route traffic based on the location of your users.
- Geoproximity routing policy – Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.
- Latency routing policy – Use when you have resources in multiple locations and you want to route traffic to the resource that provides the best latency.
- Multivalue answer routing policy – Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.
- Weighted routing policy – Use to route traffic to multiple resources in proportions that you specify.
Kinesis/EMR/Redshift
| Kinesis | Elastic Map Reduce (EMR) | Redshift |
| Consume large streams of data | Processing big data | Business intelligence, OLAP |
Use case: Utilize Kinesis to collect big data and analyze with Kinesis clients, then use EMR to save the BI results to a Redshift.
SNS/SQS/SWF/SES/STS
- SNS – Push messages to topics. Notify by email / text messages/ HTTP-endpoints.
- SQS – Pull messages from Queue. De-couple your applications. Standard queue: at least once delivery, FIFO queue: exactly once processing
- SWF – Process orders on the website. A task is assigned only once and is never duplicated. Maximum workflow execution time – 1 year
- SES – Send email via AWS
- STS – Security Token Service to request temporary, limited-privilege credentials
Root Privileges vs. Fully Managed
AWS provides the root or system privileges on EC2, EMR, Elastic BeanStalk, Opswork. DynamoDB, SNS, and SQS are fully managed.
AZ vs. Region
- Placement group – Logical grouping of instances within a single AZ
- VPC – Multiple VPCs(default 5) per region
- RDS – Primary data in single AZ, backup data can across multiple AZ
- Direct connect – Access all AZs within a region
- CloudFront – CDN cache on edge locations (different from AZ and region)
- Auto Scaling Group – Spread over subnets (AZs)
- Please review the post AWS Global Infrastructure for the detail
VPC
- Only one internet gateway per VPC
- Each EC2 instance in default VPC will have a public and private IP address
- Create a new route table for customization instead of the default route table to add custom rules (e.g. NAT gateway).
- You can’t change the size of a VPC after you create it.
- In each VPC you create, 5 IP addresses are reserved by AWS for itself. First 4 and last IP in the CIDR block.
- Create VPC peering between own VPCs or between another account in the same region, but transitive peering relationships are not supported
- Please review the post AWS Virtual Private Cloud for the detail.
Conclusion
Always keep 4 pillars of WAF(security, reliability, performance efficiency and cost optimization) on AWS in mind for any tricky question during the exam.
