Lambda

• Setup one role per Lambda function; don't reuse roles
• Use a function via an API gateway
• Don't store passwords - use AWS secrets manager

Route 53

• Most important features
  • Registration
  • DNS Service
  • Health Checks

Domain vs Hosted Zone

• Domain is a construct of DNS servers that associates a name with a resource
• Domains have zone files
  • Zone files are a text mapping of different resources.

Route 53 health checks

• Allows the checking of application health.
• Can be used to reroute traffic if a resource is unhealthy

Cheking Health of an endpoint

• Create a check from Route 53
• Checks can be done on an IP address or domain name
  • • Can also be a URL that contains data from services
    • These can mirror the actions a user would normally perform

• Calculated health checks act as a root health check
  • • Monitor other health checks
    • Can fail before the origin is considered unhealthy
    • This will fail if any of it's alarms go off.

Route 53 Security Considerations

• Use Route 53 health checks with CloudWatch to monitor services
• Make sure DNS Entries have auto-renew enabled
  • | Famous forgotten DNS names
• Enable DNS query logging

RDS Servicess

• Removes the overhead of having a DBA on staff.
• Read replicas are easy to provision with RDS.
  • These are read-only and will not allow writes.
• An instance can be made HA replicating to another region or AZ.
  • A replicated primary cannot serve any other function.
    • It cannot work as a read replica.
• Read replicas can be promoted to a standalone database
  • If promoted, they will no longer stay in sync with the master.

RDS Security Considerations

• Don't use the AWS root user to create and manage resources.
• Using security groups to control what IPs and services can connect to RDS services
  • Remember Least privilege
• Use encryption to protect RDS data and snapshots
• Use least privilege when granting permissions to the database
• USE AWS backup service to back up data via cross-account backups.

Amazon Aurora

• This is an alternative to Oracle and MS SQL without licensing problems.
• IS compatible with MySQL and PostgreSQL
• It can be run serverless or as a cluster.

Key Value Databases

• An example is Dynamo DB
• They store key value pairs
• Designed for performance and scalability
• Each key is a UID that pulls a value from the database.

In Memory Databases

• All data is stored in RAM
• Uses specialized hardware
• Offers fast performance and very low latency
• More expensive due to the use of RAM
• Can be used as a caching layer to reduce application latency.
• AWS offers the service as Elasicashce
  • Two different engines:
  • Redis and Memcached
  • Clusters use SSDs that enable encryption at rest.
  • Other memory databases may just run in RAM.

Document Databases

• Non Relational database that stores documents
• Allows data to be stored in a JSON type format
• No Fixed Schema
• Documents can be nested inside each other
• AWS has DocumentDB - Compatible with Mongo DB as a managed document database
• Good if you don't want the admin aspects of a database.

Message and Queuing systems

• Used to decouple components
• Increases resiliency

SNS - Simple Notification Service

• Alows services to send notifications SMS / EMAIL / Push to end users
• No complex programming required
• AWS services (such as Coudwatch) can use SNS.

• SNS is a Publisher and a Consumer system
  • Publishers push a message to a topic
  • Consumers subscribe to a topic
  • The topic is a Chanel sending the message to multiple consumers
  • Publisher only sends the message once

Security Considerations for SNS

• Only apply the minimum permissions necessary to perform the work least privilege
• An application sending or receiving messages does not need administrative permissions for the topic.
• Enforce encryption for data in transit
  • HTTPS instead of HTTP when sending messages to a topic.
• Use VPC endpoints to access SNS
  • Route requests from hosts VPC endpoints rather than the public internet. Keep data off internet